Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1653: Power Settings

Adversaries may impair a system's ability to hibernate, reboot, or shut down in order to extend access to infected machines. When a computer enters a dormant state, some or all software and hardware may cease to operate which can disrupt malicious activity.[1]

Adversaries may abuse system utilities and configuration settings to maintain access by preventing machines from entering a state, such as standby, that can terminate malicious activity.[2][3]

For example, `powercfg` controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.[4] Adversaries may also extend system lock screen timeout settings.[5] Other relevant settings, such as disk and hibernate timeout, can be similarly abused to keep the infected machine running even if no user is active.[6]

Aware that some malware cannot survive system reboots, adversaries may entirely delete files used to invoke system shut down or reboot.[7]

EnterpriseT1653TechniqueObject v1.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

Power Settings abuse matters because an attacker may try to keep a compromised system awake, unlocked, or unable to reboot so their access or malware continues running. For leaders, this is a persistence signal that can affect endpoint hygiene, incident containment, and network device resilience, especially where reboots or shutdowns are part of recovery procedures.

Executive priority

Treat unexpected power, sleep, lock-screen, reboot, or shutdown configuration changes as control-plane drift that can undermine incident response and operational resilience. The priority is to prove that audit evidence exists across Windows, Linux, macOS, and network devices, and that SOC/IR teams can distinguish authorized administration from persistence-oriented changes. ATT&CK also links this technique to ArcaneDoor-related network device activity through Line Runner and Line Dancer, making network infrastructure auditability especially relevant where those platforms are in scope.

Technical view

This is an enterprise ATT&CK persistence technique across Windows, Linux, macOS, and network devices. Validate visibility into changes to configurable power settings, sleep/hibernate behavior, lock-screen timeout, disk/hibernate timeout, and files or mechanisms used to invoke shutdown or reboot. Windows review should include evidence around powercfg use and resulting policy/configuration changes. Linux review should include system sleep configuration evidence such as systemd sleep settings. For network devices, validate configuration and file integrity audit trails because the supplied relationships include network-device software and campaign context.

Likely telemetry

  • Endpoint process execution and command-line logs for power-management utilities such as powercfg where available
  • Operating system audit logs showing sleep, hibernate, lock, shutdown, and reboot configuration changes
  • Configuration file monitoring for platform-specific sleep or power-management settings, including Linux systemd sleep configuration
  • Registry, policy, or endpoint configuration state where power and lock behavior is centrally managed
  • File integrity or configuration monitoring for shutdown/reboot-related files or mechanisms

Detection direction

  • Use DET0417 as the ATT&CK-linked detection strategy reference, but validate locally because the technique object does not provide official detection text.
  • Baseline normal power and lock-screen settings by system role; alert on unexpected changes that prevent sleep, hibernate, locking, shutdown, or reboot.
  • Correlate configuration changes with the user, process, command line, host role, and approved change ticket to reduce false positives from legitimate IT administration.
  • Prioritize high-value endpoints, servers, and network devices where inability to reboot or sleep could delay containment or recovery.
  • Look for combinations of persistence indicators: power-setting changes plus suspicious process execution, unauthorized admin activity, or modification/deletion of shutdown or reboot mechanisms.

Mitigation priorities

  • Implement and regularly review auditing for power, sleep, lock, shutdown, reboot, and related configuration changes, consistent with ATT&CK mitigation M1047 Audit.
  • Maintain approved baselines for power-management settings by asset class and compare drift against change-management records.
  • Ensure SOC and IR playbooks include checks for altered power or reboot behavior before relying on reboot-based containment or recovery.
  • For network devices, include configuration and file integrity review in routine audits, especially for devices supporting critical infrastructure or remote administration.
  • Use audit findings to prioritize remediation of unmanaged assets or platforms lacking sufficient configuration-change evidence.
Analyst notes and limits

This technique is less about the power setting itself and more about persistence resilience: preventing a system from entering a state that disrupts malicious activity. The ATT&CK relationships add useful defensive context: M1047 Audit is the provided mitigation, DET0417 is the linked detection strategy, and ArcaneDoor/Line Runner/Line Dancer provide network-device relevance.

The supplied ATT&CK object does not include official detection text, so detection content must be validated against local telemetry and platform capabilities. The object supports Windows, Linux, macOS, and network devices, but only specific examples for Windows powercfg and Linux systemd sleep configuration are supplied. No claim of local exposure, active exploitation, or guaranteed detection can be made from this data alone.

Official MITRE ATT&CK definition

Power Settings

Adversaries may impair a system's ability to hibernate, reboot, or shut down in order to extend access to infected machines. When a computer enters a dormant state, some or all software and hardware may cease to operate which can disrupt malicious activity.[1]

Adversaries may abuse system utilities and configuration settings to maintain access by preventing machines from entering a state, such as standby, that can terminate malicious activity.[2][3]

For example, `powercfg` controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.[4] Adversaries may also extend system lock screen timeout settings.[5] Other relevant settings, such as disk and hibernate timeout, can be similarly abused to keep the infected machine running even if no user is active.[6]

Aware that some malware cannot survive system reboots, adversaries may entirely delete files used to invoke system shut down or reboot.[7]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Associated objects

Groups, software, and campaigns

Campaign Enterprise

C0046: ArcaneDoor

ArcaneDoor is a campaign targeting networking devices from Cisco and other vendors between July 2023 and April 2024, primarily focused on government and critical infrastructure networks. ArcaneDoor is associated with the deployment of the custom backdoors Line Runner and Line Dancer. ArcaneDoor is attributed to a group referred to as UAT4356 or STORM-1849, and is assessed to be a state-sponsored campaign.[1][2]

Relationship explorer

All related ATT&CK context

detects · Detection Strategy DET0417: Detection Strategy for Power Settings Abuse Enterprise uses · Campaign C0046: ArcaneDoor Enterprise uses · Malware S1188: Line Runner Enterprise uses · Malware S1186: Line Dancer Enterprise mitigates · Mitigation M1047: Audit Enterprise
Mitigations

Mitigation direction

Mitigation Enterprise

M1047: Audit

Auditing is the process of recording activity and systematically reviewing and analyzing the activity and system configurations. The primary purpose of auditing is to detect anomalies and identify potential threats or weaknesses in the environment. Proper auditing configurations can also help to meet compliance requirements. The process of auditing encompasses regular analysis of user behaviors and system logs in support of proactive security measures.

Auditing is applicable to all systems used within an organization, from the front door of a building to accessing a file on a fileserver. It is considered more critical for regulated industries such as, healthcare, finance and government where compliance requirements demand stringent tracking of user and system activates.This mitigation can be implemented through the following measures:

System Audit:

- Use Case: Regularly assess system configurations to ensure compliance with organizational security policies. - Implementation: Use tools to scan for deviations from established benchmarks.

Permission Audits:

- Use Case: Review file and folder permissions to minimize the risk of unauthorized access or privilege escalation. - Implementation: Run access reviews to identify users or groups with excessive permissions.

Software Audits:

- Use Case: Identify outdated, unsupported, or insecure software that could serve as an attack vector. - Implementation: Use inventory and vulnerability scanning tools to detect outdated versions and recommend secure alternatives.

Configuration Audits:

- Use Case: Evaluate system and network configurations to ensure secure settings (e.g., disabled SMBv1, enabled MFA). - Implementation: Implement automated configuration scanning tools like SCAP (Security Content Automation Protocol) to identify non-compliant systems.

Network Audits:

- Use Case: Examine network traffic, firewall rules, and endpoint communications to identify unauthorized or insecure connections. - Implementation: Utilize tools such as Wireshark, or Zeek to monitor and log suspicious network behavior.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.1
Created
Modified
Raw hash
6b892b777e8b604b...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.1 Current bundle 6b892b777e8b…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Sleep, shut down, hibernate

    AVG. (n.d.). Should You Shut Down, Sleep or Hibernate Your PC or Mac Laptop?. Retrieved June 8, 2023.

    Open source URL
  2. [2]
    Microsoft: Powercfg command-line options

    Microsoft. (2021, December 15). Powercfg command-line options. Retrieved June 5, 2023.

    Open source URL
  3. [3]
    systemdsleep Linux

    Man7. (n.d.). systemd-sleep.conf(5) — Linux manual page. Retrieved June 7, 2023.

    Open source URL
  4. [4]
    Two New Monero Malware Attacks Target Windows and Android Users

    Douglas Bonderud. (2018, September 17). Two New Monero Malware Attacks Target Windows and Android Users. Retrieved June 5, 2023.

    Open source URL
  5. [5]
    BATLOADER: The Evasive Downloader Malware

    Bethany Hardin, Lavine Oluoch, Tatiana Vollbrecht. (2022, November 14). BATLOADER: The Evasive Downloader Malware. Retrieved June 5, 2023.

    Open source URL
  6. [6]
    CoinLoader: A Sophisticated Malware Loader Campaign

    Avira. (2019, November 28). CoinLoader: A Sophisticated Malware Loader Campaign. Retrieved June 5, 2023.

    Open source URL
  7. [7]
    Condi-Botnet-binaries

    Joie Salvio and Roy Tay. (2023, June 20). Condi DDoS Botnet Spreads via TP-Link's CVE-2023-1389. Retrieved September 5, 2023.

    Open source URL
  8. [8]
    mitre-attack T1653
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use