AN1175: Analytic 1175
Detect execution of system utilities (systemctl, systemd-inhibit, systemdsleep) modifying sleep or hibernate behavior. Abnormal edits to system configuration files (e.g., /etc/systemd/sleep.conf) should be correlated with process execution to identify persistence techniques.
Analyst context for executives and security teams
This analytic is about spotting Linux activity that changes sleep or hibernate behavior through system utilities or systemd configuration. For leaders, the practical issue is persistence and operational resilience: changes to power-management behavior can help unwanted activity survive expected downtime patterns or interfere with normal host behavior. It is most relevant where Linux systems support critical services, privileged administration, or compliance-sensitive workloads.
Executive priority
Prioritize this as a Linux host monitoring and configuration-governance question. Security leaders should ask whether SOC teams can see privileged execution of systemctl, systemd-inhibit, and related utilities, and whether changes to files such as /etc/systemd/sleep.conf are tracked and reviewed. The business value is not just alerting on one command; it is proving that important Linux configuration changes are observable, attributable, and explainable during an incident or audit.
Technical view
Validate coverage for Linux process execution involving system utilities named in the analytic, especially systemctl, systemd-inhibit, and systemdsleep, and correlate that activity with edits to sleep or hibernate configuration such as /etc/systemd/sleep.conf. Because the ATT&CK object does not provide a full detection rule, teams should build environment-specific logic around abnormal modification of systemd sleep behavior, user context, parent process, privilege level, timing, and whether the change aligns with approved administration.
Likely telemetry
- Linux process execution telemetry for systemctl, systemd-inhibit, systemdsleep, and related parent/child process context
- File modification telemetry for systemd sleep or hibernate configuration, including /etc/systemd/sleep.conf
- User, account, and privilege context for the process performing the change
- Command-line arguments where collected and permitted
- Host identity, role, and change window context to distinguish expected administration from abnormal activity
Detection direction
- Correlate execution of relevant system utilities with nearby edits to sleep or hibernate configuration rather than alerting on utility use alone.
- Tune for administrative false positives, since legitimate system maintenance may use systemctl or modify systemd configuration.
- Prioritize events from servers or Linux endpoints where sleep/hibernate behavior is unusual or not part of standard operations.
- Validate whether file integrity monitoring or endpoint telemetry captures /etc/systemd/sleep.conf and comparable configuration paths.
- Review blind spots around short-lived processes, missing command-line logging, privileged interactive sessions, and hosts not covered by endpoint telemetry.
Mitigation priorities
- Establish approved baselines for Linux sleep and hibernate configuration on relevant systems.
- Limit privileged access capable of modifying systemd configuration to authorized administrators and managed workflows.
- Use change control or configuration management to make unexpected edits to systemd sleep settings easier to identify.
- Ensure endpoint or host logging is enabled for process execution and sensitive configuration-file changes on Linux systems.
- In incident response, compare observed configuration changes against known-good baselines before assuming malicious intent.
Analyst notes and limits
The supplied object is a detection analytic for Linux and describes monitoring system utilities and configuration edits related to sleep or hibernate behavior. No ATT&CK tactic, relationship context, or formal detection logic was supplied, so this take frames practical validation around the official description only.
Detection quality depends on local Linux logging, endpoint telemetry, file monitoring scope, and knowledge of legitimate administrative activity. The source does not provide active exploitation evidence, attribution, impact claims, or complete rule logic.
Analytic 1175
Detect execution of system utilities (systemctl, systemd-inhibit, systemdsleep) modifying sleep or hibernate behavior. Abnormal edits to system configuration files (e.g., /etc/systemd/sleep.conf) should be correlated with process execution to identify persistence techniques.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | c3f916db4439… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1175Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.