Detect Power Settings in Splunk
This detection identifies adversaries abusing power management utilities and configuration settings to prevent infected systems from entering sleep, hibernate, or shutdown states, thereby extending their access window. On Windows, suspicious invocations of powercfg.exe with timeout-disabling flags, registry modifications to power scheme keys, and lock screen timeout changes are monitored. On Linux, masking of systemd sleep targets and modifications to /etc/systemd/logind.conf are targeted. The detection also covers deletion of system shutdown/reboot binaries, a behavior observed in Condi botnet campaigns, and unusual processes setting sleep inhibitors outside of known legitimate software contexts.
MITRE ATT&CK
- Tactic
- Persistence
- Technique
- T1653 Power Settings
- Canonical reference
- https://attack.mitre.org/techniques/T1653/
SPL Detection Query
index=* (
(sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1)
OR
(sourcetype="WinEventLog:Security" EventCode=4688)
OR
(sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode IN (12,13,14))
)
| eval proc_name=lower(coalesce(Image, NewProcessName, ProcessName))
| eval cmdline=lower(coalesce(CommandLine, ProcessCommandLine, ""))
| eval registry_path=lower(coalesce(TargetObject, ""))
| eval event_source=case(
EventCode=1 OR EventCode=4688, "process",
EventCode IN (12,13,14), "registry",
true(), "unknown"
)
| where (
event_source="process" AND (
(proc_name LIKE "%powercfg%" AND (
(cmdline LIKE "%standby-timeout%" AND (cmdline LIKE "% 0%" OR cmdline LIKE "%off%"))
OR (cmdline LIKE "%hibernate-timeout%" AND (cmdline LIKE "% 0%" OR cmdline LIKE "%off%"))
OR (cmdline LIKE "%monitor-timeout%" AND (cmdline LIKE "% 0%" OR cmdline LIKE "%off%"))
OR (cmdline LIKE "%disk-timeout%" AND cmdline LIKE "% 0%")
OR (cmdline LIKE "%hibernate off%")
OR (cmdline LIKE "%-h off%")
OR (cmdline LIKE "%setacvalueindex%")
OR (cmdline LIKE "%setdcvalueindex%")
))
OR (proc_name LIKE "%systemctl%" AND (
cmdline LIKE "%mask%sleep%"
OR cmdline LIKE "%mask%hibernate%"
OR cmdline LIKE "%mask%suspend%"
))
)
)
OR (
event_source="registry" AND (
registry_path LIKE "%\\control\\power%"
OR registry_path LIKE "%powercfg%"
OR registry_path LIKE "%policies\\microsoft\\power%"
) AND EventCode=13
)
| eval detection_type=case(
event_source="process" AND proc_name LIKE "%powercfg%", "PowercfgAbuse",
event_source="process" AND proc_name LIKE "%systemctl%", "SystemctlSleepMask",
event_source="registry", "PowerRegistryModification",
true(), "Unknown"
)
| eval parent_proc=coalesce(ParentImage, ParentProcessName, "unknown")
| eval host=coalesce(ComputerName, host)
| eval user=coalesce(User, SubjectUserName, "unknown")
| table _time, host, user, detection_type, proc_name, cmdline, parent_proc, registry_path
| sort - _timeMulti-source SPL detection using Sysmon process creation (EventCode=1), Windows Security process creation (EventCode=4688), and Sysmon registry modification (EventCode=13) to identify powercfg.exe or systemctl invocations disabling power timeouts, and direct registry writes to Windows power policy keys. Results are labeled with a detection_type field for analyst triage.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Server infrastructure management tools that configure always-on power policies for production servers and rack-mounted hardware
- Enterprise desktop management platforms (Tanium, BigFix) that apply standardized power configurations fleet-wide via scripted powercfg invocations
- Presentation or digital signage software that sets monitor and sleep timeouts to zero to prevent displays from blanking during scheduled content
- Automated patch management systems temporarily disabling hibernate during maintenance windows to prevent mid-patch reboots
- Gaming optimization tools and game launchers that modify power settings to prevent system sleep during active gaming sessions
Other platforms for T1653
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Disable Standby and Hibernate Timeouts via powercfg
Expected signal: Windows Event ID 4688 or Sysmon EventID 1 for powercfg.exe with the full command line visible. DeviceRegistryEvents entries for HKLM\SYSTEM\CurrentControlSet\Control\Power\User\PowerSchemes showing ACSettingIndex and DCSettingIndex values set to 0.
- Test 2Disable Hibernate via powercfg hibernate off
Expected signal: Sysmon EventID 1 or Security EventID 4688 with ProcessCommandLine containing 'powercfg' and '/hibernate off' or '-h off'. DeviceFileEvents showing deletion of C:\hiberfil.sys (if hibernate was previously enabled).
- Test 3Mask systemd Sleep Targets on Linux
Expected signal: Syslog or auditd entries showing systemctl execution with 'mask' and target names. If auditd EXECVE rules are configured, full command line will be captured. journalctl will show systemd unit mask operations.
References (6)
- https://attack.mitre.org/techniques/T1653/
- https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/powercfg-command-line-options
- https://www.fortinet.com/blog/threat-research/coinloader-a-sophisticated-malware-loader-campaign
- https://www.rapid7.com/blog/post/2022/12/06/two-new-monero-malware-attacks-target-windows-and-android-users/
- https://www.trendmicro.com/en_us/research/22/k/batloader-the-evasive-downloader-malware.html
- https://www.freedesktop.org/software/systemd/man/systemd-sleep.conf.html
Unlock Pro Content
Get the full detection package for T1653 including response playbook, investigation guide, and atomic red team tests.