T1653: Power Settings

Adversaries may impair a system's ability to hibernate, reboot, or shut down in order to extend access to infected machines. When a computer enters a dormant state, some or all software and hardware may cease to operate which can disrupt malicious activity.

Adversaries may abuse system utilities and configuration settings to maintain access by preventing machines from entering a state, such as standby, that can terminate malicious activity.

For example, powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down. Adversaries may also extend system lock screen timeout settings. Other relevant settings, such as disk and hibernate timeout, can be similarly abused to keep the infected machine running even if no user is active.

Aware that some malware cannot survive system reboots, adversaries may entirely delete files used to invoke system shut down or reboot.

Positive Technologies products that cover the technique

Description of detection methods is not available yet

Detection

IDDS0017Data source and componentCommand: Command ExecutionDescription

Monitor and inspect commands and arguments associated with manipulating the power settings of a system.

IDDS0022Data source and componentFile: File ModificationDescription

Monitor for unexpected changes to configuration files associated with the power settings of a system.

Mitigation

IDM1047NameAuditDescription

Periodically inspect systems for abnormal and unexpected power settings that may indicate malicious activty.