TH16111
Detected presence of software components that can tamper with the machine power settings.
| priority | CI/CD status | severity | effort | RL level | RL assessment |
|---|---|---|---|---|---|
 | pass | medium | high | None | None |
About the issueโ
Software components sometimes need to interact with higher privilege parts of the operating system, often requiring administrative access to accomplish a task. Machine power settings are high privilege functions that can change the power state of the device. This includes the ability to reboot and shutdown computer systems. Attackers often abuse machine power settings to force a system reboot, upon which malicious code can infect the system and gain persistence. While the presence of code that tampers with machine power settings does not necessarily imply malicious intent, all of its uses in a software package should be documented and approved. Only select applications should consider using functions that interact with the machine power state. One example of acceptable use for such functions is prompting users to reboot their system during complex software installations.
How to resolve the issueโ
- Investigate reported detections as indicators of software tampering.
- Consult Mitre ATT&CK documentation: T1529 - System Shutdown/Reboot.
- Consider rewriting the flagged code without using the marked behaviors.
Recommended readingโ
- T1529 - System Shutdown/Reboot (External resource - Mitre ATT&CK documentation)
- Administrative privileges (External resource - Wikipedia)