T1653 IBM QRadar · QRadar

Detect Power Settings in IBM QRadar

This detection identifies adversaries abusing power management utilities and configuration settings to prevent infected systems from entering sleep, hibernate, or shutdown states, thereby extending their access window. On Windows, suspicious invocations of powercfg.exe with timeout-disabling flags, registry modifications to power scheme keys, and lock screen timeout changes are monitored. On Linux, masking of systemd sleep targets and modifications to /etc/systemd/logind.conf are targeted. The detection also covers deletion of system shutdown/reboot binaries, a behavior observed in Condi botnet campaigns, and unusual processes setting sleep inhibitors outside of known legitimate software contexts.

MITRE ATT&CK

Tactic
Persistence
Technique
T1653 Power Settings
Canonical reference
https://attack.mitre.org/techniques/T1653/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
    DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
    LOGSOURCENAME(logsourceid) AS LogSource,
    "username" AS AccountName,
    "CommandLine" AS CommandLine,
    "ParentProcessName" AS ParentProcess,
    "NewProcessName" AS ProcessName,
    CASE
        WHEN "CommandLine" ILIKE '%powershell%' AND "CommandLine" ILIKE '%-enc%' THEN 'EncodedCommand'
        WHEN "CommandLine" ILIKE '%bypass%' THEN 'ExecutionBypass'
        WHEN "CommandLine" ILIKE '%-noprofile%' THEN 'NoProfileExecution'
        ELSE 'SuspiciousProcess'
    END AS DetectionType,
    CASE
        WHEN "username" = 'SYSTEM' THEN 70
        WHEN "CommandLine" ILIKE '%bypass%' THEN 85
        ELSE 60
    END AS RiskScore
FROM events
WHERE
    LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Universal DSM')
    AND eventid IN (4688, 1)
    AND ("NewProcessName" ILIKE '%powershell.exe%'
        OR "NewProcessName" ILIKE '%cmd.exe%'
        OR "NewProcessName" ILIKE '%wscript.exe%'
        OR "NewProcessName" ILIKE '%cscript.exe%'
        OR "NewProcessName" ILIKE '%mshta.exe%')
    AND RiskScore >= 60
ORDER BY EventTime DESC
LAST 1 HOURS
medium severity medium confidence

IBM QRadar AQL detection for Power Settings (T1653). Queries QRadar event pipeline for indicators consistent with power settings adversary techniques using MITRE ATT&CK-aligned event categorization.

Data Sources

IBM QRadar SIEMWindows Security EventsEndpoint Agent

Required Tables

events

False Positives & Tuning

  • IT administrators legitimately using powercfg.exe to configure power plans on server infrastructure or kiosk machines where sleep is intentionally disabled
  • Enterprise power management software (e.g., HP Power Manager, Dell Command Power Manager) that sets timeouts to zero on always-on servers or workstations in data centers
  • Software deployment systems (SCCM, Intune) that temporarily disable hibernate during patching windows to prevent interrupted updates
Download portable Sigma rule (.yml)

Other platforms for T1653

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Disable Standby and Hibernate Timeouts via powercfg

    Expected signal: Windows Event ID 4688 or Sysmon EventID 1 for powercfg.exe with the full command line visible. DeviceRegistryEvents entries for HKLM\SYSTEM\CurrentControlSet\Control\Power\User\PowerSchemes showing ACSettingIndex and DCSettingIndex values set to 0.

  2. Test 2Disable Hibernate via powercfg hibernate off

    Expected signal: Sysmon EventID 1 or Security EventID 4688 with ProcessCommandLine containing 'powercfg' and '/hibernate off' or '-h off'. DeviceFileEvents showing deletion of C:\hiberfil.sys (if hibernate was previously enabled).

  3. Test 3Mask systemd Sleep Targets on Linux

    Expected signal: Syslog or auditd entries showing systemctl execution with 'mask' and target names. If auditd EXECVE rules are configured, full command line will be captured. journalctl will show systemd unit mask operations.

Last updated: 2026-03-20 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1653 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1543Create or Modify System ProcessT1053.005Scheduled TaskT1496Resource HijackingT1037Boot or Logon Initialization ScriptsT1070Indicator Removal

Same Tactic: Persistence

Popular Detections