T1653: Power Settings
Adversaries may impair a system's ability to hibernate, reboot, or shut down in order to extend access to infected machines. When a computer enters a dormant state, some or all software and hardware may cease to operate which can disrupt malicious activity.
Adversaries may abuse system utilities and configuration settings to maintain access by preventing machines from entering a state, such as standby, that can terminate malicious activity.
For example, powercfg
controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down. Adversaries may also extend system lock screen timeout settings. Other relevant settings, such as disk and hibernate timeout, can be similarly abused to keep the infected machine running even if no user is active.
Aware that some malware cannot survive system reboots, adversaries may entirely delete files used to invoke system shut down or reboot.
Positive Technologies products that cover the technique
Description of detection methods is not available yet
Detection
ID | DS0017 | Data source and component | Command: Command Execution | Description | Monitor and inspect commands and arguments associated with manipulating the power settings of a system. |
---|
ID | DS0022 | Data source and component | File: File Modification | Description | Monitor for unexpected changes to configuration files associated with the power settings of a system. |
---|
Mitigation
ID | M1047 | Name | Audit | Description | Periodically inspect systems for abnormal and unexpected power settings that may indicate malicious activty. |
---|