Suspicious Powercfg Execution To Change Lock Screen Timeout
Detects suspicious execution of 'Powercfg.exe' to change lock screen timeout
Sigma rule (View on GitHub)
1title: Suspicious Powercfg Execution To Change Lock Screen Timeout
2id: f8d6a15e-4bc8-4c27-8e5d-2b10f0b73e5b
3status: test
4description: Detects suspicious execution of 'Powercfg.exe' to change lock screen timeout
5references:
6 - https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html
7 - https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/powercfg-command-line-options
8author: frack113
9date: 2022-11-18
10tags:
11 - attack.defense-evasion
12logsource:
13 category: process_creation
14 product: windows
15detection:
16 selection_power:
17 - Image|endswith: '\powercfg.exe'
18 - OriginalFileName: 'PowerCfg.exe'
19 selection_standby:
20 # powercfg.exe /SETACVALUEINDEX SCHEME_CURRENT SUB_VIDEO VIDEOCONLOCK
21 - CommandLine|contains|all:
22 - '/setacvalueindex '
23 - 'SCHEME_CURRENT'
24 - 'SUB_VIDEO'
25 - 'VIDEOCONLOCK'
26 # powercfg -change -standby-timeout-dc 3000
27 # powercfg -change -standby-timeout-ac 3000
28 - CommandLine|contains|all:
29 - '-change '
30 - '-standby-timeout-'
31 condition: all of selection_*
32falsepositives:
33 - Unknown
34level: medium
References
-
We explore the Batloader malware, its history, attributes, how it is delivered, the infection chain, and Carbon Black’s detection capabilities.
Read More -
You can use the powercfg.exe tool to control power schemes (also named power plans) to use the available sleep states, to control the power states of individual devices, and to analyze the system for common energy-efficiency and battery-life problems.
Read More
Related rules
- AD Object WriteDAC Access
- ADS Zone.Identifier Deleted By Uncommon Application
- AMSI Bypass Pattern Assembly GetType
- APT PRIVATELOG Image Load Pattern
- APT27 - Emissary Panda Activity