power down monitor

rule:
  meta:
    name: power down monitor
    namespace: host-interaction/hardware/monitor
    authors:
      - michael.hunhoff@mandiant.com
    scopes:
      static: basic block
      dynamic: call
  features:
    - and:
      - api: user32.SendMessage
      - number: 0x112 = WM_SYSCOMMAND
      - number: 0xF170 = SC_MONITORPOWER
      - number: 2 = the display is being shut off