Adversaries may use systemctl to mask system power settings, disabling critical power management functions to evade detection or prolong system activity. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential persistence or evasion tactics leveraging system configuration changes.
Detection Rule
title: Mask System Power Settings Via Systemctl
id: c172b7b5-f3a1-4af2-90b7-822c63df86cb
status: experimental
description: |
Detects the use of systemctl mask to disable system power management targets such as suspend, hibernate, or hybrid sleep.
Adversaries may mask these targets to prevent a system from entering sleep or shutdown states, ensuring their malicious processes remain active and uninterrupted.
This behavior can be associated with persistence or defense evasion, as it impairs normal system power operations to maintain long-term access or avoid termination of malicious activity.
author: Milad Cheraghi, Nasreddine Bencherchali
date: 2025-10-17
references:
- https://www.man7.org/linux/man-pages/man1/systemctl.1.html
- https://linux-audit.com/systemd/faq/what-is-the-difference-between-systemctl-disable-and-systemctl-mask/
tags:
- attack.persistence
- attack.impact
- attack.t1653
logsource:
category: process_creation
product: linux
detection:
selection_systemctl:
Image|endswith: '/systemctl'
CommandLine|contains: ' mask'
selection_power_options:
CommandLine|contains:
- 'suspend.target'
- 'hibernate.target'
- 'hybrid-sleep.target'
condition: all of selection_*
falsepositives:
- Unlikely
level: high
imProcessCreate
| where (TargetProcessName endswith "/systemctl" and TargetProcessCommandLine contains " mask") and (TargetProcessCommandLine contains "suspend.target" or TargetProcessCommandLine contains "hibernate.target" or TargetProcessCommandLine contains "hybrid-sleep.target")Scenario: System Update Scheduled Job Masks Power Targets
Description: A system update scheduled job uses systemctl mask to disable power management targets as part of a pre-update cleanup process.
Filter/Exclusion: Check for systemctl mask commands executed by the root user in the context of a scheduled job (e.g., cron, systemd-timedated, or update-manager). Use a filter like:
Executable = systemd and Process = systemd and CommandLine = "mask" and User = root and EventID = 10000Scenario: Power Management Disabled for Energy Efficiency
Description: An IT administrator disables suspend and hibernate to improve system performance or energy efficiency in a data center environment.
Filter/Exclusion: Filter commands executed by an admin user (e.g., admin, itops) during maintenance windows. Example filter:
User = admin and Process = systemd and CommandLine = "mask" and EventID = 10000 and SourceIP = 192.168.1.0/24Scenario: Systemctl Mask Used in a Script for System Stability
Description: A script used to ensure system stability (e.g., in a high-availability cluster) masks power targets to prevent unexpected shutdowns or sleep states.
Filter/Exclusion: Filter commands that include script paths or are executed by a known admin tool (e.g., ansible, puppet, chef). Example:
CommandLine = "mask" and Process = systemd and EventID = 10000 and CommandLine contains "/opt/scripts/stability_script.sh"Scenario: Systemctl Mask Used by a Monitoring Tool