T1529: System Shutdown/Reboot

View on MITRE ATT&CK	T1529
Tactic(s)	Impact

Data from MITRE ATT&CK®:

Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. reload).(Citation: Microsoft Shutdown Oct 2017)(Citation: alert_TA18_106A)

Shutting down or rebooting systems may disrupt access to computer resources for legitimate users while also impeding incident response/recovery.

Adversaries may attempt to shutdown/reboot a system after impacting it in other ways, such as Disk Structure Wipe or Inhibit System Recovery, to hasten the intended effects on system availability.(Citation: Talos Nyetya June 2017)(Citation: Talos Olympic Destroyer 2018)

© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

Cyber Threat Graph Context

Explore how this ATT&CK Technique relates to the wider threat graph

Reporting on this Technique

Report

APT40 Advisory - PRC MSS tradecraft in action

This advisory, authored by the Australian Cyber Security Centre and multiple other international cybersecurity agencies, outlines the threat posed ...

View Source

Report

Detailed Analysis of DarkGate

This post on Medium by S2W presents a technical analysis of DarkGate malware and the operator behind it. According to the report, DarkGate is a ...

View Source

How to detect this technique

MITRE ATT&CK Data Components

Command Execution (Command)

The execution of a line of text, potentially with arguments, created from program code (e.g. a cmdlet executed via powershell.exe, interactive commands like >dir, shell executions, etc. )

Host Status (Sensor Health)

Logging, messaging, and other artifacts highlighting the health of host sensors (ex: metrics, errors, and/or exceptions from logging applications)

Process Creation (Process)

The initial construction of an executable managed by the OS, that may involve one or more tasks or threads. (e.g. Win EID 4688, Sysmon EID 1, cmd.exe > net use, etc.)

Control Validation Tests for this Technique

Use Atomic Red Team tests to test your defenses against this technique.

ESXi - Avoslocker enumerates VMs and forcefully kills VMs

Reboot System via `halt` - FreeBSD

Reboot System via `halt` - Linux

Restart System - Windows

Reboot System via `poweroff` - FreeBSD

Shutdown System via `halt` - FreeBSD/Linux

Reboot System via `poweroff` - Linux

Restart System via `shutdown` - FreeBSD/macOS/Linux

Restart System via `reboot` - FreeBSD/macOS/Linux

Shutdown System - Windows

ESXi - Terminates VMs using pkill

Logoff System - Windows

Shutdown System via `poweroff` - FreeBSD/Linux

Shutdown System via `shutdown` - FreeBSD/macOS/Linux

Sigma Detections for this Technique

Silence.EDA Detection

windows ps script

Cisco Denial of Service

Suspicious Execution of Shutdown to Log Out

windows process creation

Suspicious Execution of Shutdown

windows process creation

System Shutdown/Reboot - MacOs

macos process creation

System Shutdown/Reboot - Linux