diff --git a/rules/linux/auditd/lnx_auditd_invalidate_system_power_settings.yml b/rules/linux/auditd/lnx_auditd_invalidate_system_power_settings.yml
new file mode 100644
index 00000000000..5a1694a27ab
--- /dev/null
+++ b/rules/linux/auditd/lnx_auditd_invalidate_system_power_settings.yml
@@ -0,0 +1,28 @@
+title: Invalidate System Power Settings
+id: c172b7b5-f3a1-4af2-90b7-822c63df86cb
+status: experimental
+description: Adversaries may impair a system's ability to hibernate, reboot, or shut down in order to extend access to infected machines. When a computer enters a dormant state, some or all software and hardware may cease to operate, which can disrupt malicious activity.
+author: CheraghiMilad
+date: 2024-11-24
+references:
+    - https://attack.mitre.org/techniques/T1653/
+tags:
+    - attack.persistence
+    - attack.impact
+    - attack.t1653
+logsource:
+    service: auditd
+    product: linux
+detection:
+    selection:
+        type: 'EXECVE'
+        a0|contains: 'systemctl'
+        a1|contains: 'mask'
+        a2|contains:
+            - 'suspend.target'
+            - 'hibernate.target'
+            - 'hybrid-sleep.target'
+    condition: selection
+falsepositives:
+    - System administrators performing legitimate maintenance
+level: high