Correlate process execution of shutdown/reboot commands (e.g., shutdown.exe, restart-computer) with host status change logs (Event IDs 1074, 6006) and absence of related administrative context (e.g., user not in Helpdesk group).
| Data Component | Name | Channel |
|---|---|---|
| Host Status (DC0018) | WinEventLog:Security | EventCode=1074 |
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Field | Description |
|---|---|
| UserContext | Defines if user has appropriate privileges to initiate shutdown/reboot. |
| TimeWindow | Unexpected shutdowns during business hours may warrant increased scrutiny. |
Detect 'shutdown', 'reboot', or 'systemctl poweroff' executions with auditd/syslog and absence of scheduled maintenance windows or approved user context.
| Data Component | Name | Channel |
|---|---|---|
| Command Execution (DC0064) | auditd:SYSCALL | execve=/sbin/shutdown or /sbin/reboot |
| Host Status (DC0018) | linux:syslog | system is powering down |
| Field | Description |
|---|---|
| CommandLineMatch | Supports multiple binary names or symlinked utilities. |
| UserContext | Privileged user (e.g., root or via sudo) context matching expected roles. |
Identify use of 'shutdown', 'reboot', or 'osascript' system shutdown invocations within unified logs and track unexpected shutdown sequences initiated by GUI or script. Cross-reference with user activity or absence thereof.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | macos:unifiedlog | shutdown -h now or reboot |
| Host Status (DC0018) | macos:unifiedlog | System shutdown or reboot requested |
| Field | Description |
|---|---|
| LaunchMechanism | Scripted vs interactive shutdowns. |
| LogGranularity | May vary depending on macOS version and unified log verbosity. |
Detect commands such as 'esxcli system shutdown' or 'vim-cmd vmsvc/power.shutdown' executed outside of maintenance windows or via unusual users. Reboot logs in hostd.log and shell logs should be correlated.
| Data Component | Name | Channel |
|---|---|---|
| Host Status (DC0018) | esxi:hostd | Powering off or restarting host |
| Command Execution (DC0064) | esxi:shell | esxcli system shutdown or reboot invoked |
| Field | Description |
|---|---|
| AccountRole | Administrative account context validation. |
| MaintenanceWindow | Expected times for reboot/shutdown behavior. |
Monitor CLI 'reload' commands issued without scheduled maintenance, and correlate to TACACS+/AAA logs for privilege validation.
| Data Component | Name | Channel |
|---|---|---|
| Command Execution (DC0064) | networkdevice:syslog | reload command issued |
| Host Status (DC0018) | networkdevice:syslog | System reboot scheduled or performed |
| Field | Description |
|---|---|
| PrivilegeLevel | TACACS+/AAA role thresholds for command execution. |
| ChangeTicketCorrelation | Track change control windows or ITSM integration. |