Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1174: Analytic 1174

Monitor command execution of powercfg.exe with arguments modifying sleep, hibernate, or display timeouts. Abnormal or repeated modifications to power settings outside administrative baselines may indicate persistence attempts. Correlate process creation with registry and system configuration changes to build behavioral chains.

EnterpriseAN1174AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic matters because unexpected changes to Windows power settings can affect endpoint availability, monitoring continuity, and incident response assumptions. MITRE describes monitoring powercfg.exe command execution when it modifies sleep, hibernate, or display timeout settings, especially when changes are abnormal or repeated outside administrative baselines. For leaders, the value is not the tool itself, but whether the organization can distinguish approved power-management activity from behavior that may support persistence or reduced operational visibility.

Executive priority

Treat this as a Windows endpoint control-validation item. Security leaders should ask whether SOC teams collect process creation and configuration-change evidence for power-setting modifications, whether IT has a documented baseline for legitimate administrative power-policy changes, and whether repeated or unusual changes would trigger investigation. This is also relevant to audit and resilience discussions because unmanaged endpoint configuration drift can weaken monitoring, response readiness, and operational consistency.

Technical view

For Windows environments, validate visibility into powercfg.exe execution and its command-line arguments when sleep, hibernate, or display timeout settings are modified. Since ATT&CK provides no separate detection logic for this analytic, detection engineering should focus on building behavioral chains from process creation, registry evidence, and system configuration changes. Tuning should compare activity against known administrative baselines, endpoint management workflows, maintenance windows, and expected IT automation.

Likely telemetry

  • Windows process creation events including image name and full command line for powercfg.exe
  • Parent and child process context around powercfg.exe execution
  • Registry change telemetry related to power and system configuration settings
  • Endpoint system configuration change records
  • Administrative change records or endpoint management logs that explain approved power-policy updates

Detection direction

  • Alert or hunt for powercfg.exe executions that modify sleep, hibernate, or display timeout settings outside known administrative baselines.
  • Correlate command execution with registry and system configuration changes rather than relying on process name alone.
  • Prioritize repeated or abnormal modifications, especially where the initiating user, host, parent process, or timing does not match standard IT operations.
  • Reduce false positives by suppressing or annotating approved endpoint management activity, policy rollouts, and maintenance-window changes.
  • Document blind spots where command-line logging, registry-change auditing, or configuration-change telemetry is absent.

Mitigation priorities

  • Establish and maintain approved Windows power-management baselines for business-critical endpoint groups.
  • Restrict or govern who can modify system power settings through administrative process and least-privilege controls.
  • Ensure endpoint logging captures command-line execution and relevant configuration changes needed to investigate power-setting modifications.
  • Integrate approved IT change records with SOC triage so legitimate power-policy changes are distinguishable from abnormal activity.
  • Periodically test whether SOC workflows can detect and explain unauthorized or repeated power-setting changes.
Analyst notes and limits

This ATT&CK object is a detection analytic, not a technique description. The supplied object identifies Windows as the platform and describes monitoring powercfg.exe arguments that modify sleep, hibernate, or display timeouts. No tactics, relationships, aliases, labels, or official detection implementation were supplied, so local baselines and telemetry validation are essential.

The source provides a high-level analytic description only. It does not include a formal detection query, associated ATT&CK tactics or techniques, relationship context, adversary use, impact claims, or evidence of active exploitation. Applicability depends on whether the environment uses Windows endpoints and collects the required process, registry, and configuration telemetry.

Official MITRE ATT&CK definition

Analytic 1174

Monitor command execution of powercfg.exe with arguments modifying sleep, hibernate, or display timeouts. Abnormal or repeated modifications to power settings outside administrative baselines may indicate persistence attempts. Correlate process creation with registry and system configuration changes to build behavioral chains.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
6ed0847dfa865ed9...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 6ed0847dfa86…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1174
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use