System Shutdown/Reboot

Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.[1] Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.

Adversaries may attempt to shutdown/reboot a system after impacting it in other ways, such as Disk Structure Wipe or Inhibit System Recovery, to hasten the intended effects on system availability.[2][3]

ID: T1529
Sub-techniques:  No sub-techniques
Tactic: Impact
Platforms: Linux, Windows, macOS
Permissions Required: Administrator, SYSTEM, User, root
Impact Type: Availability
Version: 1.0
Created: 04 October 2019
Last Modified: 27 March 2020
Provided by LAYER 8

Procedure Examples

ID Name Description
G0067 APT37

APT37 has used malware that will issue the command shutdown /r /t 1 to reboot a system after wiping its MBR.[4]

G0082 APT38

APT38 has used a custom MBR wiper named BOOTWRECK, which will initiate a system reboot after wiping the victim's MBR.[5]

S0607 KillDisk

KillDisk attempts to reboot the machine by terminating specific processes.[6]

G0032 Lazarus Group

Lazarus Group has rebooted systems after destroying files and wiping the MBR on infected systems.[7]

S0372 LockerGoga

LockerGoga has been observed shutting down infected systems.[8]

S0582 LookBack

LookBack can shutdown and reboot the victim machine.[9]

S0449 Maze

Maze has issued a shutdown command on a victim machine that, upon reboot, will run the ransomware within a VM.[10]

S0368 NotPetya

NotPetya will reboot the system one hour after infection.[2][11]

S0365 Olympic Destroyer

Olympic Destroyer will shut down the compromised system after it is done modifying system configuration settings.[3][11]

S0140 Shamoon

Shamoon will reboot the infected system once the wiping functionality has been completed.[12][13]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

ID Data Source Data Component
DS0017 Command Command Execution
DS0009 Process Process Creation
DS0013 Sensor Health Host Status

Use process monitoring to monitor the execution and command line parameters of binaries involved in shutting down or rebooting systems. Windows event logs may also designate activity associated with a shutdown/reboot, ex. Event ID 1074 and 6006.

References