# T1529 System Shutdown/Reboot

-----------------------------------------------------------------------

## Technique Description

Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device.(Citation: Microsoft Shutdown Oct 2017)(Citation: alert_TA18_106A) Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.

Adversaries may attempt to shutdown/reboot a system after impacting it in other ways, such as [Disk Structure Wipe](https://attack.mitre.org/techniques/T1561/002) or [Inhibit System Recovery](https://attack.mitre.org/techniques/T1490), to hasten the intended effects on system availability.(Citation: Talos Nyetya June 2017)(Citation: Talos Olympic Destroyer 2018)

## Technique Detection

Use process monitoring to monitor the execution and command line parameters of binaries involved in shutting down or rebooting systems. Windows event logs may also designate activity associated with a shutdown/reboot, ex. Event ID 1074 and 6006. Unexpected or unauthorized commands from network cli on network devices may also be associated with shutdown/reboot, e.g. the <code>reload</code> command.

-----------------------------------------------------------------------

### Tactics:

  *   Impact

### Platforms:

  * Linux

  * macOS

  * Windows

  * Network

### Adversary Required Permissions:

  * User

  * Administrator

  * root

  * SYSTEM

### Data Sources:

  * **Command:** Command Execution

  * **Sensor Health:** Host Status

  * **Process:** Process Creation

-----------------------------------------------------------------------

### Adversarial usage:

| Adversary Group |  Adversarial Usage |
|----|----|
| APT38 | [APT38](https://attack.mitre.org/groups/G0082) has used a custom MBR wiper named BOOTWRECK, which will initiate a system reboot after wiping the victim's MBR.(Citation: FireEye APT38 Oct 2018)| 
| APT37 | [APT37](https://attack.mitre.org/groups/G0067) has used malware that will issue the command <code>shutdown /r /t 1</code> to reboot a system after wiping its MBR.(Citation: Talos Group123)| 
| Lazarus Group | [Lazarus Group](https://attack.mitre.org/groups/G0032) has rebooted systems after destroying files and wiping the MBR on infected systems.(Citation: US-CERT SHARPKNOT June 2018)| 
-----------------------------------------------------------------------

## Mitre References

  * [Mitre-Attack](https://attack.mitre.org/techniques/T1529)

  * [Microsoft Shutdown Oct 2017](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/shutdown), Microsoft. (2017, October 15). Shutdown. Retrieved October 4, 2019.

  * [Alert_Ta18_106A](https://www.cisa.gov/uscert/ncas/alerts/TA18-106A), CISA. (2018, April 20). Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved February 14, 2022.

  * [Talos Nyetya June 2017](https://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html), Chiu, A. (2016, June 27). New Ransomware Variant "Nyetya" Compromises Systems Worldwide. Retrieved March 26, 2019.

  * [Talos Olympic Destroyer 2018](https://blog.talosintelligence.com/2018/02/olympic-destroyer.html), Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer Takes Aim At Winter Olympics. Retrieved March 14, 2019.

> *Note: Do not edit this cell with information you want to keep. This cell will be wiped when the update script is ran. Store permanent information in one of the relevant cells below*

*Last pulled from Mitre on: 23 June 2022*



-----------------------------------------------------------------------

## Metadata

  * **Last Updated  Date:** 8 July 2021

  * **Author(s):** SSgt Johnathan Smith, SSgt John Beres

  * **Validated:** NO

-----------------------------------------------------------------------

## Overall Hypothesis

- Adversaries will shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.

## Adversary Examples

| Adversary Specific Examples | Host Analytics | Network Analytics |
|-----------------------------|----------------|-------------------|
| Example APT/Threat actor | 1, 2 | 2, 3, 5|

## Detection Blindspots

- Information Here

## Analytical References

  * https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md

-----------------------------------------------------------------------

## Host Analytics

-----------------------------------------------------------------------

### Hunter Notes

- Information Here

#### Analytic 1

  * **Information:** 'Comments'

  * **Source:** 'Windows Audits, Sysmon'

  * **Tool:** 'Kibana'

  * **Notes:** 'Use process monitoring to monitor the execution and command line parameters of binaries involved in shutting down or rebooting systems.

Shutdown /s /t 1
Shutdown /r /t 1  '

  * **Query:** ```process.name : shutdown.exe```

#### Analytic 2

  * **Information:** 'Comments'

  * **Source:** 'Windows Audits'

  * **Tool:** 'Kibana'

  * **Notes:** 'Windows event logs may also designate activity associated with a shutdown/reboot, ex. Event ID 1074 and 6006.

Event ID 1074 : System has been shutdown by a process/user.

Event ID 6006: The event log service was stopped.'

  * **Query:** ```Event.code : 1074 or 6006```



-----------------------------------------------------------------------

## Network Analytics

-----------------------------------------------------------------------


