Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhighexperimental

Mask System Power Settings Via Systemctl

Detects the use of systemctl mask to disable system power management targets such as suspend, hibernate, or hybrid sleep. Adversaries may mask these targets to prevent a system from entering sleep or shutdown states, ensuring their malicious processes remain active and uninterrupted. This behavior can be associated with persistence or defense evasion, as it impairs normal system power operations to maintain long-term access or avoid termination of malicious activity.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Milad Cheraghi, Nasreddine Bencherchali (Nextron Systems)Created Fri Oct 17c172b7b5-f3a1-4af2-90b7-822c63df86cblinux
Log Source
LinuxProcess Creation
ProductLinux← raw: linux
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic2 selectors
detection:
    selection_systemctl:
        Image|endswith: '/systemctl'
        CommandLine|contains: ' mask'
    selection_power_options:
        CommandLine|contains:
            - 'suspend.target'
            - 'hibernate.target'
            - 'hybrid-sleep.target'
    condition: all of selection_*
False Positives
Unlikely

False positives are unlikely for most environments. High confidence detection.

References
1
Resolving title…
man7.org
2
Resolving title…
linux-audit.com
MITRE ATT&CK
Rule Metadata
Rule ID
c172b7b5-f3a1-4af2-90b7-822c63df86cb
Status
experimental
Level
high
Type
Detection
Created
Fri Oct 17
Author
Milad Cheraghi, Nasreddine Bencherchali (Nextron Systems)
Path
rules/linux/process_creation/proc_creation_lnx_systemctl_mask_power_settings.yml
Raw Tags
attack.persistenceattack.impactattack.t1653
View on GitHub