EXPLORE
Sign In
← Back to Explore
sigmahighHunting

Mask System Power Settings Via Systemctl

Detects the use of systemctl mask to disable system power management targets such as suspend, hibernate, or hybrid sleep. Adversaries may mask these targets to prevent a system from entering sleep or shutdown states, ensuring their malicious processes remain active and uninterrupted. This behavior can be associated with persistence or defense evasion, as it impairs normal system power operations to maintain long-term access or avoid termination of malicious activity.

MITRE ATT&CK

T1653
persistenceimpact

Detection Query

selection_systemctl:
  Image|endswith: /systemctl
  CommandLine|contains: " mask"
selection_power_options:
  CommandLine|contains:
    - suspend.target
    - hibernate.target
    - hybrid-sleep.target
condition: all of selection_*

Author

Milad Cheraghi, Nasreddine Bencherchali

Created

2025-10-17

Data Sources

linuxProcess Creation Events

Platforms

linux

References

Tags

attack.persistenceattack.impactattack.t1653
Raw Content
title: Mask System Power Settings Via Systemctl
id: c172b7b5-f3a1-4af2-90b7-822c63df86cb
status: experimental
description: |
    Detects the use of systemctl mask to disable system power management targets such as suspend, hibernate, or hybrid sleep.
    Adversaries may mask these targets to prevent a system from entering sleep or shutdown states, ensuring their malicious processes remain active and uninterrupted.
    This behavior can be associated with persistence or defense evasion, as it impairs normal system power operations to maintain long-term access or avoid termination of malicious activity.
author: Milad Cheraghi, Nasreddine Bencherchali
date: 2025-10-17
references:
    - https://www.man7.org/linux/man-pages/man1/systemctl.1.html
    - https://linux-audit.com/systemd/faq/what-is-the-difference-between-systemctl-disable-and-systemctl-mask/
tags:
    - attack.persistence
    - attack.impact
    - attack.t1653
logsource:
    category: process_creation
    product: linux
detection:
    selection_systemctl:
        Image|endswith: '/systemctl'
        CommandLine|contains: ' mask'
    selection_power_options:
        CommandLine|contains:
            - 'suspend.target'
            - 'hibernate.target'
            - 'hybrid-sleep.target'
    condition: all of selection_*
falsepositives:
    - Unlikely
level: high