Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. reload
).[1][2]
Shutting down or rebooting systems may disrupt access to computer resources for legitimate users while also impeding incident response/recovery.
Adversaries may attempt to shutdown/reboot a system after impacting it in other ways, such as Disk Structure Wipe or Inhibit System Recovery, to hasten the intended effects on system availability.[3][4]
ID | Name | Description |
---|---|---|
S1125 | AcidRain |
AcidRain reboots the target system once the various wiping processes are complete.[5] |
G0067 | APT37 |
APT37 has used malware that will issue the command |
G0082 | APT38 |
APT38 has used a custom MBR wiper named BOOTWRECK, which will initiate a system reboot after wiping the victim's MBR.[7] |
S1053 | AvosLocker |
AvosLocker’s Linux variant has terminated ESXi virtual machines.[8] |
S1033 | DCSrv |
DCSrv has a function to sleep for two hours before rebooting the system.[9] |
S0697 | HermeticWiper |
HermeticWiper can initiate a system shutdown.[10][11] |
S0607 | KillDisk |
KillDisk attempts to reboot the machine by terminating specific processes.[12] |
G0032 | Lazarus Group |
Lazarus Group has rebooted systems after destroying files and wiping the MBR on infected systems.[13] |
S0372 | LockerGoga |
LockerGoga has been observed shutting down infected systems.[14] |
S0582 | LookBack | |
S0449 | Maze |
Maze has issued a shutdown command on a victim machine that, upon reboot, will run the ransomware within a VM.[16] |
S0368 | NotPetya |
NotPetya will reboot the system one hour after infection.[3][17] |
S0365 | Olympic Destroyer |
Olympic Destroyer will shut down the compromised system after it is done modifying system configuration settings.[4][17] |
S0140 | Shamoon |
Shamoon will reboot the infected system once the wiping functionality has been completed.[18][19] |
S0689 | WhisperGate |
WhisperGate can shutdown a compromised host through execution of |
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
ID | Data Source | Data Component | Detects |
---|---|---|---|
DS0017 | Command | Command Execution |
Monitor executed commands and arguments of binaries involved in shutting down or rebooting systems. For network devices, monitor executed commands in AAA logs, especially those run by unexpected or unauthorized users. |
DS0009 | Process | Process Creation |
Monitor for newly executed processes of binaries involved in shutting down or rebooting systems. |
DS0013 | Sensor Health | Host Status |
Monitor for logging, messaging, and other artifacts highlighting the health of host sensors (ex: metrics, errors, and/or exceptions from logging applications) that may suggest the shutting down or rebooting of the system. Windows event logs may also designate activity associated with a shutdown/reboot, ex. Event ID 1074 and 6006. |