MITRE ATT&CK Technique
Description
Adversaries may impair a system's ability to hibernate, reboot, or shut down in order to extend access to infected machines. When a computer enters a dormant state, some or all software and hardware may cease to operate which can disrupt malicious activity.(Citation: Sleep, shut down, hibernate) Adversaries may abuse system utilities and configuration settings to maintain access by preventing machines from entering a state, such as standby, that can terminate malicious activity.(Citation: Microsoft: Powercfg command-line options)(Citation: systemdsleep Linux) For example, `powercfg` controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.(Citation: Two New Monero Malware Attacks Target Windows and Android Users) Adversaries may also extend system lock screen timeout settings.(Citation: BATLOADER: The Evasive Downloader Malware) Other relevant settings, such as disk and hibernate timeout, can be similarly abused to keep the infected machine running even if no user is active.(Citation: CoinLoader: A Sophisticated Malware Loader Campaign) Aware that some malware cannot survive system reboots, adversaries may entirely delete files used to invoke system shut down or reboot.(Citation: Condi-Botnet-binaries)
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2023-06-05T15:52:52.467Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': "Adversaries may impair a system's ability to hibernate, "
'reboot, or shut down in order to extend access to infected '
'machines. When a computer enters a dormant state, some or all '
'software and hardware may cease to operate which can disrupt '
'malicious activity.(Citation: Sleep, shut down, hibernate)\n'
'\n'
'Adversaries may abuse system utilities and configuration '
'settings to maintain access by preventing machines from '
'entering a state, such as standby, that can terminate '
'malicious activity.(Citation: Microsoft: Powercfg '
'command-line options)(Citation: systemdsleep Linux)\n'
'\n'
'For example, `powercfg` controls all configurable power '
'system settings on a Windows system and can be abused to '
'prevent an infected host from locking or shutting '
'down.(Citation: Two New Monero Malware Attacks Target Windows '
'and Android Users) Adversaries may also extend system lock '
'screen timeout settings.(Citation: BATLOADER: The Evasive '
'Downloader Malware) Other relevant settings, such as disk and '
'hibernate timeout, can be similarly abused to keep the '
'infected machine running even if no user is active.(Citation: '
'CoinLoader: A Sophisticated Malware Loader Campaign)\n'
'\n'
'Aware that some malware cannot survive system reboots, '
'adversaries may entirely delete files used to invoke system '
'shut down or reboot.(Citation: Condi-Botnet-binaries)',
'external_references': [{'external_id': 'T1653',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1653'},
{'description': 'AVG. (n.d.). Should You Shut Down, '
'Sleep or Hibernate Your PC or Mac '
'Laptop?. Retrieved June 8, 2023.',
'source_name': 'Sleep, shut down, hibernate',
'url': 'https://www.avg.com/en/signal/should-you-shut-down-sleep-or-hibernate-your-pc-or-mac-laptop'},
{'description': 'Avira. (2019, November 28). '
'CoinLoader: A Sophisticated Malware '
'Loader Campaign. Retrieved June 5, '
'2023.',
'source_name': 'CoinLoader: A Sophisticated Malware '
'Loader Campaign',
'url': 'https://www.avira.com/en/blog/coinloader-a-sophisticated-malware-loader-campaign'},
{'description': 'Bethany Hardin, Lavine Oluoch, '
'Tatiana Vollbrecht. (2022, November '
'14). BATLOADER: The Evasive '
'Downloader Malware. Retrieved June '
'5, 2023.',
'source_name': 'BATLOADER: The Evasive Downloader '
'Malware',
'url': 'https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html'},
{'description': 'Douglas Bonderud. (2018, September '
'17). Two New Monero Malware Attacks '
'Target Windows and Android Users. '
'Retrieved June 5, 2023.',
'source_name': 'Two New Monero Malware Attacks '
'Target Windows and Android Users',
'url': 'https://securityintelligence.com/news/two-new-monero-malware-attacks-target-windows-and-android-users/'},
{'description': 'Joie Salvio and Roy Tay. (2023, June '
'20). Condi DDoS Botnet Spreads via '
"TP-Link's CVE-2023-1389. Retrieved "
'September 5, 2023.',
'source_name': 'Condi-Botnet-binaries',
'url': 'https://www.fortinet.com/blog/threat-research/condi-ddos-botnet-spreads-via-tp-links-cve-2023-1389'},
{'description': 'Man7. (n.d.). systemd-sleep.conf(5) '
'— Linux manual page. Retrieved June '
'7, 2023.',
'source_name': 'systemdsleep Linux',
'url': 'https://man7.org/linux/man-pages/man5/systemd-sleep.conf.5.html'},
{'description': 'Microsoft. (2021, December 15). '
'Powercfg command-line options. '
'Retrieved June 5, 2023.',
'source_name': 'Microsoft: Powercfg command-line '
'options',
'url': 'https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/powercfg-command-line-options?adlt=strict'}],
'id': 'attack-pattern--ea071aa0-8f17-416f-ab0d-2bab7e79003d',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'persistence'}],
'modified': '2025-10-24T17:49:33.435Z',
'name': 'Power Settings',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Menachem Goldstein', 'Juan Tapiador'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': False,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Windows', 'Linux', 'macOS', 'Network Devices'],
'x_mitre_version': '1.1'}