title: Power Settings (T1653)
id: df00tech-t1653
status: experimental
description: "This detection identifies adversaries abusing power management utilities and configuration settings to prevent infected systems from entering sleep, hibernate, or shutdown states, thereby extending their access window. On Windows, suspicious invocations of powercfg.exe with timeout-disabling flags, registry modifications to power scheme keys, and lock screen timeout changes are monitored. On Linux, masking of systemd sleep targets and modifications to /etc/systemd/logind.conf are targeted. The detection also covers deletion of system shutdown/reboot binaries, a behavior observed in Condi botnet campaigns, and unusual processes setting sleep inhibitors outside of known legitimate software contexts."
references:
  - https://attack.mitre.org/techniques/T1653/
  - https://df00tech.com/detections/T1653
author: df00tech
date: 2026/03/20
tags:
  - attack.t1653
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - IT administrators legitimately using powercfg.exe to configure power plans on server infrastructure or kiosk machines where sleep is intentionally disabled
  - "Enterprise power management software (e.g., HP Power Manager, Dell Command Power Manager) that sets timeouts to zero on always-on servers or workstations in data centers"
  - "Software deployment systems (SCCM, Intune) that temporarily disable hibernate during patching windows to prevent interrupted updates"
  - Automated build agents and CI/CD runner hosts that disable sleep to ensure long-running pipelines complete without interruption
  - Battery backup (UPS) management software modifying power settings as part of hibernation-on-power-loss configuration
level: medium