This detection rule identifies the use of the 'systemctl mask' command to disable system power management functionalities on a Linux system. Adversaries may utilize this command to mask important targets like suspend, hibernate, or hybrid sleep, effectively preventing the system from entering these low-power states. This tactic can be employed for various malicious purposes, including maintaining persistence on a compromised host or evading detection by ensuring that malicious processes remain active without interruption. The rule specifies that a process creation event where the command executed ends with '/systemctl' and the command line contains the term 'mask' is indicative of this behavior. Furthermore, the command line must also reference one of the power management targets to confirm potential abuse. Given that this behavior impairs the normal power operations of a system, it raises a high-severity alert for possible malicious activity. Additionally, false positives are deemed unlikely, as legitimate uses of this command in this context are rare. This rule is particularly relevant for organizations monitoring Linux environments for potential compromises.