Monitor for a loss of network communications, which may indicate a device has been shutdown or restarted. This will not directly detect the technique’s execution, but instead may provide additional evidence that the technique has been used and may complement other detections.
Device restarts and shutdowns may be observable in device application logs. Monitor for unexpected device restarts or shutdowns.
Devices may produce alarms about restarts or shutdowns. Monitor for unexpected device restarts or shutdowns.
Monitor ICS automation protocols for functions that restart or shutdown a device. Commands to restart or shutdown devices may also be observable in traditional IT management protocols.
| Data Component | Name | Channel |
|---|---|---|
| Network Traffic Flow (DC0078) | Network Traffic | None |
| Application Log Content (DC0038) | Application Log | None |
| Device Alarm (DC0108) | Operational Databases | None |
| Network Traffic Content (DC0085) | Network Traffic | None |