Find sigma rule

Attack: System Shutdown/Reboot

Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. reload).(Citation: Microsoft Shutdown Oct 2017)(Citation: alert_TA18_106A)

Shutting down or rebooting systems may disrupt access to computer resources for legitimate users while also impeding incident response/recovery.

Adversaries may attempt to shutdown/reboot a system after impacting it in other ways, such as Disk Structure Wipe or Inhibit System Recovery, to hasten the intended effects on system availability.(Citation: Talos Nyetya June 2017)(Citation: Talos Olympic Destroyer 2018)

MITRE

Tactic

impact

technique

T1529

Test : Logoff System - Windows

OS

windows

Description:

This test performs a Windows system logoff as seen in dcrat backdoor capabilities

Executor

command_prompt

Sigma Rule

proc_creation_win_shutdown_logoff.yml (id: ec290c06-9b6b-4338-8b6b-095c0f284f10)

back

sigma_redcanaryco

Knowing which rule should trigger according to the redcannary test