T1529: System Shutdown/Reboot
Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. reload).
Shutting down or rebooting systems may disrupt access to computer resources for legitimate users while also impeding incident response/recovery.
Adversaries may attempt to shutdown/reboot a system after impacting it in other ways, such as Disk Structure Wipe or Inhibit System Recovery, to hasten the intended effects on system availability.
Positive Technologies products that cover the technique
MaxPatrol SIEM knowledge base
proxmox: PT-CR-2740: ProxMox_VE_Multiple_VM_Container_Stop: A large number of VMs or containers were deleted or stopped in Proxmox. Such actions allow attackers to cause significant damage to the system. proxmox: PT-CR-2735: ProxMox_VE_Critical_VM_Container_Manipulation: A user performed an action on a critical VM or container in Proxmox. Such actions allow attackers to hide the evidence of their activity, disrupt system availability or functionality, remove security tools, extract or delete important data, embed backdoors, or perform lateral movement within a network. kontinent: PT-CR-2397: Kontinent_Security_Host_Shutdown: A command was executed to disable a security host. A security host performs a large number of tasks; therefore, it being disabled can weaken network perimeter protection and violate system resource availability. zvirt: PT-CR-2818: ZVirt_Critical_VM_Operation: A user performed an action on a critical VM in the zVirt virtualization platform. Such actions allow attackers to hide the evidence of their activity, disrupt system availability or functionality, remove security tools, extract or delete important data, embed backdoors, or perform lateral movement within a network. zvirt: PT-CR-2820: ZVirt_Multiple_VM_Stop_Or_Remove: A large number of VMs were deleted or stopped in the zVirt virtualization platform. Such actions allow attackers to cause significant damage to the system. vk_cloud: PT-CR-2291: VK_Cloud_Critical_VM_Operation: An untrusted user performed an operation on a critical virtual machine in VK Cloud. Attackers can gain access to critical virtual machines, manage them, and change their configuration, including network configuration. This allows them to interfere with the operation of critical virtual machines, disclose information stored on them, and prepare the environment for further attacks. capabilities_impact: PT-CR-2892: CAP_Stop_Application_Or_System: Stopping a system or application microsoft_hyperv: PT-CR-2869: HyperV_Critical_VMs_Manipulation: A user performed an action on a critical VM in Hyper-V. This could be an attacker's attempt to disrupt system integrity and availability.
Detection
| ID | DS0017 | Data source and component | Command: Command Execution | Description | Monitor executed commands and arguments of binaries involved in shutting down or rebooting systems. For network devices, monitor executed commands in AAA logs, especially those run by unexpected or unauthorized users. |
|---|
| ID | DS0013 | Data source and component | Sensor Health: Host Status | Description | Monitor for logging, messaging, and other artifacts highlighting the health of host sensors (ex: metrics, errors, and/or exceptions from logging applications) that may suggest the shutting down or rebooting of the system. Windows event logs may also designate activity associated with a shutdown/reboot, ex. Event ID 1074 and 6006. |
|---|
| ID | DS0009 | Data source and component | Process: Process Creation | Description | Monitor for newly executed processes of binaries involved in shutting down or rebooting systems. |
|---|