Description
Adversaries may impair a system's ability to hibernate, reboot, or shut down in order to extend access to infected machines. When a computer enters a dormant state, some or all software and hardware may cease to operate which can disrupt malicious activity.(Citation: Sleep, shut down, hibernate)
Adversaries may abuse system utilities and configuration settings to maintain access by preventing machines from entering a state, such as standby, that can terminate malicious activity.(Citation: Microsoft: Powercfg command-line options)(Citation: systemdsleep Linux)
For example, powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.(Citation: Two New Monero Malware Attacks Target Windows and Android Users) Adversaries may also extend system lock screen timeout settings.(Citation: BATLOADER: The Evasive Downloader Malware) Other relevant settings, such as disk and hibernate timeout, can be similarly abused to keep the infected machine running even if no user is active.(Citation: CoinLoader: A Sophisticated Malware Loader Campaign)
Aware that some malware cannot survive system reboots, adversaries may entirely delete files used to invoke system shut down or reboot.(Citation: Condi-Botnet-binaries)
Platforms
Mitigations (1)
AuditM1047
Periodically inspect systems for abnormal and unexpected power settings that may indicate malicious activty.
Associated Software (2)
| ID | Name | Type | Context |
|---|---|---|---|
| S1188 | Line Runner | Malware | [Line Runner](https://attack.mitre.org/software/S1188) used CVE-2024-20353 to trigger victim devices to reboot, in the process unzipping and installin... |
| S1186 | Line Dancer | Malware | [Line Dancer](https://attack.mitre.org/software/S1186) can modify the crash dump process on infected machines to skip crash dump generation and procee... |
References
- AVG. (n.d.). Should You Shut Down, Sleep or Hibernate Your PC or Mac Laptop?. Retrieved June 8, 2023.
- Avira. (2019, November 28). CoinLoader: A Sophisticated Malware Loader Campaign. Retrieved June 5, 2023.
- Bethany Hardin, Lavine Oluoch, Tatiana Vollbrecht. (2022, November 14). BATLOADER: The Evasive Downloader Malware. Retrieved June 5, 2023.
- Douglas Bonderud. (2018, September 17). Two New Monero Malware Attacks Target Windows and Android Users. Retrieved June 5, 2023.
- Joie Salvio and Roy Tay. (2023, June 20). Condi DDoS Botnet Spreads via TP-Link's CVE-2023-1389. Retrieved September 5, 2023.
- Man7. (n.d.). systemd-sleep.conf(5) — Linux manual page. Retrieved June 7, 2023.
- Microsoft. (2021, December 15). Powercfg command-line options. Retrieved June 5, 2023.
Frequently Asked Questions
What is T1653 (Power Settings)?
T1653 is a MITRE ATT&CK technique named 'Power Settings'. It belongs to the Persistence tactic(s). Adversaries may impair a system's ability to hibernate, reboot, or shut down in order to extend access to infected machines. When a computer enters a dormant state, some or all software and hardware m...
How can T1653 be detected?
Detection of T1653 (Power Settings) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1653?
There are 1 documented mitigations for T1653. Key mitigations include: Audit.
Which threat groups use T1653?
While specific threat group attribution may vary, this technique has been observed in various real-world attacks. Check the MITRE ATT&CK website for the latest threat intelligence.