Power Settings

Adversaries may impair a system's ability to hibernate, reboot, or shut down in order to extend access to infected machines. When a computer enters a dormant state, some or all software and hardware may cease to operate which can disrupt malicious activity.[1]

Adversaries may abuse system utilities and configuration settings to maintain access by preventing machines from entering a state, such as standby, that can terminate malicious activity.[2][3]

For example, powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.[4] Adversaries may also extend system lock screen timeout settings.[5] Other relevant settings, such as disk and hibernate timeout, can be similarly abused to keep the infected machine running even if no user is active.[6]

Aware that some malware cannot survive system reboots, adversaries may entirely delete files used to invoke system shut down or reboot.[7]

ID: T1653
Sub-techniques:  No sub-techniques
Tactic: Persistence
Platforms: Linux, Network, Windows, macOS
Contributors: Goldstein Menachem; Juan Tapiador
Version: 1.0
Created: 05 June 2023
Last Modified: 30 September 2023


ID Mitigation Description
M1047 Audit

Periodically inspect systems for abnormal and unexpected power settings that may indicate malicious activty.


ID Data Source Data Component Detects
DS0017 Command Command Execution

Monitor and inspect commands and arguments associated with manipulating the power settings of a system.

DS0022 File File Modification

Monitor for unexpected changes to configuration files associated with the power settings of a system.