T1653 Microsoft Sentinel · KQL

Detect Power Settings in Microsoft Sentinel

This detection identifies adversaries abusing power management utilities and configuration settings to prevent infected systems from entering sleep, hibernate, or shutdown states, thereby extending their access window. On Windows, suspicious invocations of powercfg.exe with timeout-disabling flags, registry modifications to power scheme keys, and lock screen timeout changes are monitored. On Linux, masking of systemd sleep targets and modifications to /etc/systemd/logind.conf are targeted. The detection also covers deletion of system shutdown/reboot binaries, a behavior observed in Condi botnet campaigns, and unusual processes setting sleep inhibitors outside of known legitimate software contexts.

MITRE ATT&CK

Tactic
Persistence
Technique
T1653 Power Settings
Canonical reference
https://attack.mitre.org/techniques/T1653/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
let SuspiciousPowercfgArgs = dynamic(["/change", "-change", "/setacvalueindex", "-setacvalueindex", "/setdcvalueindex", "-setdcvalueindex", "/hibernate", "-hibernate", "/x", "-x"]);
let SleepTimeoutKeywords = dynamic(["standby-timeout", "hibernate-timeout", "monitor-timeout", "disk-timeout", "lock-timeout"]);
let PowerRegistryPaths = dynamic([
    "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Power",
    "HKCU\\Control Panel\\PowerCfg",
    "HKLM\\SOFTWARE\\Policies\\Microsoft\\Power",
    "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Power"
]);
// Branch 1: Suspicious powercfg.exe invocations disabling timeouts
let PowercfgAbuse = DeviceProcessEvents
| where Timestamp > ago(1d)
| where FileName =~ "powercfg.exe" or ProcessCommandLine has "powercfg"
| where ProcessCommandLine has_any (SuspiciousPowercfgArgs)
| extend TimeoutDisabled = ProcessCommandLine has_any (SleepTimeoutKeywords) and ProcessCommandLine has_any (" 0", " 0 ", "off", "never")
| extend HibernateDisabled = ProcessCommandLine has "hibernate" and ProcessCommandLine has_any ("off", " 0")
| where TimeoutDisabled or HibernateDisabled
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName, FolderPath, SHA256
| extend DetectionType = "PowercfgTimeoutDisabled";
// Branch 2: Registry modifications to power policy keys
let PowerRegistryMod = DeviceRegistryEvents
| where Timestamp > ago(1d)
| where RegistryKey has_any (PowerRegistryPaths)
| where ActionType in ("RegistryValueSet", "RegistryKeyCreated")
| where RegistryValueName has_any ("ACSettingIndex", "DCSettingIndex", "Attributes", "CurrentPowerPolicy", "Hibernate", "StandbyTimeout", "HibernateTimeout", "MonitorTimeout")
| where isnotempty(RegistryValueData) and RegistryValueData in ("0", "00000000")
| project Timestamp, DeviceName, AccountName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessFileName, InitiatingProcessCommandLine
| extend DetectionType = "PowerRegistryModification";
// Branch 3: Deletion of shutdown/reboot binaries (cross-platform consideration via Windows subsystem or admin tools)
let ShutdownBinaryDeletion = DeviceFileEvents
| where Timestamp > ago(1d)
| where ActionType == "FileDeleted"
| where FileName has_any ("shutdown.exe", "restart.exe") or FolderPath has_any ("\\Windows\\System32\\shutdown", "\\Windows\\SysWOW64\\shutdown")
| where InitiatingProcessFileName !in~ ("TrustedInstaller.exe", "msiexec.exe", "setup.exe", "wusa.exe")
| project Timestamp, DeviceName, AccountName, FolderPath, FileName, InitiatingProcessFileName, InitiatingProcessCommandLine
| extend DetectionType = "ShutdownBinaryDeletion";
// Combine all branches
PowercfgAbuse
| union PowerRegistryMod
| union ShutdownBinaryDeletion
| project-reorder Timestamp, DeviceName, AccountName, DetectionType
| order by Timestamp desc
medium severity medium confidence

Three-branch detection covering: (1) powercfg.exe invocations that set sleep, standby, hibernate, monitor, or lock timeouts to zero or disable hibernate entirely; (2) direct registry modifications to Windows power policy keys writing zero values to timeout settings; and (3) deletion of Windows shutdown/reboot binaries by non-trusted installers. Alerts are emitted across all three branches and labeled with a DetectionType field for triage prioritization.

Data Sources

Microsoft Defender for Endpoint

Required Tables

DeviceProcessEventsDeviceRegistryEventsDeviceFileEvents

False Positives & Tuning

  • IT administrators legitimately using powercfg.exe to configure power plans on server infrastructure or kiosk machines where sleep is intentionally disabled
  • Enterprise power management software (e.g., HP Power Manager, Dell Command Power Manager) that sets timeouts to zero on always-on servers or workstations in data centers
  • Software deployment systems (SCCM, Intune) that temporarily disable hibernate during patching windows to prevent interrupted updates
  • Automated build agents and CI/CD runner hosts that disable sleep to ensure long-running pipelines complete without interruption
  • Battery backup (UPS) management software modifying power settings as part of hibernation-on-power-loss configuration
Download portable Sigma rule (.yml)

Other platforms for T1653

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Disable Standby and Hibernate Timeouts via powercfg

    Expected signal: Windows Event ID 4688 or Sysmon EventID 1 for powercfg.exe with the full command line visible. DeviceRegistryEvents entries for HKLM\SYSTEM\CurrentControlSet\Control\Power\User\PowerSchemes showing ACSettingIndex and DCSettingIndex values set to 0.

  2. Test 2Disable Hibernate via powercfg hibernate off

    Expected signal: Sysmon EventID 1 or Security EventID 4688 with ProcessCommandLine containing 'powercfg' and '/hibernate off' or '-h off'. DeviceFileEvents showing deletion of C:\hiberfil.sys (if hibernate was previously enabled).

  3. Test 3Mask systemd Sleep Targets on Linux

    Expected signal: Syslog or auditd entries showing systemctl execution with 'mask' and target names. If auditd EXECVE rules are configured, full command line will be captured. journalctl will show systemd unit mask operations.

Last updated: 2026-03-20 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1653 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1543Create or Modify System ProcessT1053.005Scheduled TaskT1496Resource HijackingT1037Boot or Logon Initialization ScriptsT1070Indicator Removal

Same Tactic: Persistence

Popular Detections