Mask System Power Settings Via Systemctl

Rule Info

Name
Mask System Power Settings Via Systemctl
Author
Milad Cheraghi, Nasreddine Bencherchali
Description
Detects the use of systemctl mask to disable system power management targets such as suspend, hibernate, or hybrid sleep. Adversaries may mask these targets to prevent a system from entering sleep or shutdown states, ensuring their malicious processes remain active and uninterrupted. This behavior can be associated with persistence or defense evasion, as it impairs normal system power operations to maintain long-term access or avoid termination of malicious activity.
Reference
https://www.man7.org/linux/man-pages/man1/systemctl.1.html
Date
2025-10-17 00:00:00
Modified
None
Id
c172b7b5-f3a1-4af2-90b7-822c63df86cb
Tags
attack.persistence attack.impact attack.t1653
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=c172b7b5-f3a1-4af2-90b7-822c63df86cb

Rule History

Author
Title
Date
Commit
Milad Cheraghi
Merge PR #5090 from @CheraghiMilad - add rule for impair system power settings
2025-10-20
ac1137183
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022