Adversaries may impair a system's ability to hibernate, reboot, or shut down in order to extend access to infected machines. When a computer enters a dormant state, some or all software and hardware may cease to operate which can disrupt malicious activity.[1]
Adversaries may abuse system utilities and configuration settings to maintain access by preventing machines from entering a state, such as standby, that can terminate malicious activity.[2][3]
For example, powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.[4] Adversaries may also extend system lock screen timeout settings.[5] Other relevant settings, such as disk and hibernate timeout, can be similarly abused to keep the infected machine running even if no user is active.[6]
Aware that some malware cannot survive system reboots, adversaries may entirely delete files used to invoke system shut down or reboot.[7]
| ID | Mitigation | Description |
|---|---|---|
| M1047 | Audit |
Periodically inspect systems for abnormal and unexpected power settings that may indicate malicious activty. |
| ID | Data Source | Data Component | Detects |
|---|---|---|---|
| DS0017 | Command | Command Execution |
Monitor and inspect commands and arguments associated with manipulating the power settings of a system. |
| DS0022 | File | File Modification |
Monitor for unexpected changes to configuration files associated with the power settings of a system. |