Suspicious Powercfg Execution To Change Lock Screen Timeout
Detects suspicious execution of 'Powercfg.exe' to change lock screen timeout
Sigma rule (View on GitHub)
1title: Suspicious Powercfg Execution To Change Lock Screen Timeout
2id: f8d6a15e-4bc8-4c27-8e5d-2b10f0b73e5b
3status: test
4description: Detects suspicious execution of 'Powercfg.exe' to change lock screen timeout
5references:
6 - https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html
7 - https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/powercfg-command-line-options
8author: frack113
9date: 2022/11/18
10tags:
11 - attack.defense_evasion
12logsource:
13 category: process_creation
14 product: windows
15detection:
16 selection_power:
17 - Image|endswith: '\powercfg.exe'
18 - OriginalFileName: 'PowerCfg.exe'
19 selection_standby:
20 # powercfg.exe /SETACVALUEINDEX SCHEME_CURRENT SUB_VIDEO VIDEOCONLOCK
21 - CommandLine|contains|all:
22 - '/setacvalueindex '
23 - 'SCHEME_CURRENT'
24 - 'SUB_VIDEO'
25 - 'VIDEOCONLOCK'
26 # powercfg -change -standby-timeout-dc 3000
27 # powercfg -change -standby-timeout-ac 3000
28 - CommandLine|contains|all:
29 - '-change '
30 - '-standby-timeout-'
31 condition: all of selection_*
32falsepositives:
33 - Unknown
34level: medium
References
-
We explore the Batloader malware, its history, attributes, how it is delivered, the infection chain, and Carbon Black’s detection capabilities.
Read More -
You can use the powercfg.exe tool to control power schemes (also named power plans) to use the available sleep states, to control the power states of individual devices, and to analyze the system for common energy-efficiency and battery-life problems.
Read More
Related rules
- Binary Padding - MacOS
- CobaltStrike Load by Rundll32
- ConvertTo-SecureString Cmdlet Usage Via CommandLine
- Disable Windows Defender AV Security Monitoring
- Disable of ETW Trace