Adversaries may impair a system's ability to hibernate, reboot, or shut down in order to extend access to infected machines. When a computer enters a dormant state, some or all software and hardware may cease to operate which can disrupt malicious activity.
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down. Adversaries may also extend system lock screen timeout settings. Other relevant settings, such as disk and hibernate timeout, can be similarly abused to keep the infected machine running even if no user is active.
Aware that some malware cannot survive system reboots, adversaries may entirely delete files used to invoke system shut down or reboot.
Periodically inspect systems for abnormal and unexpected power settings that may indicate malicious activty.
|ID||Data Source||Data Component||Detects|
Monitor and inspect commands and arguments associated with manipulating the power settings of a system.
Monitor for unexpected changes to configuration files associated with the power settings of a system.