System Shutdown/Reboot

Information

• Name: System Shutdown/Reboot

• ID: T1529

• Tactics:

Introduction

The System Shutdown/Reboot technique (T1529) within the MITRE ATT&CK framework involves adversaries intentionally shutting down or rebooting systems to disrupt business operations, evade detection, facilitate lateral movement, or execute destructive payloads. Attackers leverage legitimate system functionalities or malicious scripts to initiate shutdown or reboot commands, significantly affecting system availability and reliability.

Deep Dive Into Technique

Attackers frequently leverage built-in operating system commands and utilities to execute system shutdowns or reboots. This technique can be executed across various operating systems, including Windows, Linux, and macOS. Common execution methods include:

• Windows Systems:

  • Using command-line utilities such as:

    • shutdown /s /t 0 (immediate shutdown)

    • shutdown /r /t 0 (immediate reboot)

    • shutdown /f (force running applications to close)

  • Leveraging PowerShell commands:

    • Stop-Computer (shutdown)

    • Restart-Computer (reboot)

  • Employing Windows Management Instrumentation (WMI) or scheduled tasks to remotely trigger shutdown/reboot commands.

• Linux/Unix Systems:

  • Utilizing commands such as:

    • shutdown -h now (immediate halt/shutdown)

    • shutdown -r now (immediate reboot)

    • reboot, halt, poweroff

  • Employing cron jobs or remote SSH commands to automate or remotely execute these operations.

• macOS Systems:

  • Using terminal commands:

    • sudo shutdown -h now (shutdown)

    • sudo shutdown -r now (reboot)

    • sudo reboot

Attackers may incorporate these commands into malicious scripts or malware payloads to automate system disruption. Additionally, adversaries may execute these commands remotely through compromised administrative accounts or remote execution tools.

When this Technique is Usually Used

Attackers commonly employ the System Shutdown/Reboot technique in various attack scenarios and stages, including:

• Impact Stage:

  • To disrupt critical business operations and services.

  • To cause denial-of-service (DoS) conditions, impacting availability of systems and applications.

• Defense Evasion:

  • To disrupt forensic analysis by rebooting systems, clearing volatile memory, and erasing evidence.

  • To evade detection by restarting systems after privilege escalation or malware installation, ensuring persistence mechanisms activate upon reboot.

• Lateral Movement:

  • To force system reboots and trigger automated scripts or services that facilitate lateral movement or payload execution.

• Ransomware and Destructive Attacks:

  • To finalize the encryption process or destructive payload delivery by forcing a reboot, ensuring critical systems become inaccessible.

How this Technique is Usually Detected

Detection of unauthorized shutdown or reboot activities typically involves monitoring and analyzing system logs, event management platforms, and endpoint detection tools. Detection methods include:

• Windows Systems:

  • Monitoring Windows Event Logs for specific event IDs:

    • Event ID 1074 (System shutdown initiated)

    • Event ID 6006 (Event log service stopped, indicating shutdown)

    • Event ID 6008 (Unexpected shutdown)

    • Event ID 41 (Kernel-Power unexpected reboot)

  • Analyzing command-line logging (Sysmon Event ID 1) for suspicious execution of shutdown commands.

  • Reviewing scheduled tasks and WMI event subscriptions for unauthorized shutdown or reboot triggers.

• Linux/Unix Systems:

  • Analyzing system logs (/var/log/auth.log, /var/log/syslog, /var/log/messages) for shutdown or reboot commands.

  • Reviewing shell history (.bash_history) for suspicious execution of shutdown/reboot commands.

  • Monitoring cron jobs or SSH command executions for unauthorized shutdown or reboot activities.

• macOS Systems:

  • Inspecting system logs (/var/log/system.log) and audit logs for shutdown/reboot events.

  • Reviewing terminal command history and launch daemons for suspicious shutdown commands.

Indicators of Compromise (IoCs) typically include:

• Suspicious or unauthorized execution of shutdown/reboot commands.

• Unexpected system downtime or reboots without prior notification.

• Correlation of reboot events with unauthorized account logins or malware detections.

Why it is Important to Detect This Technique

Early detection of unauthorized system shutdown or reboot activities is crucial due to the significant impacts on organizational operations, security posture, and business continuity:

• Operational Impact:

  • Unplanned system shutdowns or reboots disrupt critical business operations, leading to financial losses and decreased productivity.

  • Unexpected downtime can affect customer-facing services, damaging organizational reputation and customer trust.

• Security Impact:

  • System reboots clear volatile memory, potentially removing valuable forensic evidence required for incident response and threat hunting.

  • Attackers may leverage system shutdowns/reboots to finalize destructive payloads, such as ransomware encryption or data wiping.

• Incident Response and Forensics:

  • Early detection helps preserve critical forensic evidence, enabling effective incident response and containment.

  • Timely identification of unauthorized shutdown/reboot activities can signal broader attacks, allowing security teams to proactively investigate and mitigate threats before further damage occurs.

Examples

Real-world examples demonstrating the System Shutdown/Reboot technique include:

• NotPetya Attack (2017):

  • Attack Scenario:

    • NotPetya ransomware/wiper malware rapidly spread through corporate networks, encrypting and wiping data.

    • Malware leveraged forced reboots to trigger payload execution and encryption routines during system startup.

  • Tools Used:

    • Malicious payload incorporating Windows shutdown/reboot commands.

    • Leveraged administrative tools (e.g., PSExec) and compromised credentials for lateral movement.

  • Impact:

    • Massive global disruption, significant financial losses, and operational downtime affecting multiple organizations worldwide.

• Shamoon Attack (2012, 2016, 2018):

  • Attack Scenario:

    • Destructive malware targeting critical infrastructure and oil companies in the Middle East.

    • Malware forced system reboots after wiping critical system files and overwriting MBR (Master Boot Record).

  • Tools Used:

    • Custom malware incorporating Windows shutdown/reboot commands to finalize destructive actions.

  • Impact:

    • Severe operational disruptions, permanent data loss, and extensive recovery efforts.

• DarkSeoul Attack (2013):

  • Attack Scenario:

    • Coordinated cyberattack against South Korean banks and media companies.

    • Malware forced system reboots after overwriting MBR and rendering systems unbootable.

  • Tools Used:

    • Custom malware employing forced reboot commands to finalize destructive payload execution.

  • Impact:

    • Significant operational disruption, financial losses, and extended recovery times for impacted organizations.

These examples highlight the critical importance of detecting unauthorized system shutdown/reboot activities to limit operational disruption, preserve forensic evidence, and mitigate potential damage from destructive cyberattacks.