Find sigma rule
Attack: System Shutdown/Reboot
Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. reload
).(Citation: Microsoft Shutdown Oct 2017)(Citation: alert_TA18_106A)
Shutting down or rebooting systems may disrupt access to computer resources for legitimate users while also impeding incident response/recovery.
Adversaries may attempt to shutdown/reboot a system after impacting it in other ways, such as Disk Structure Wipe or Inhibit System Recovery, to hasten the intended effects on system availability.(Citation: Talos Nyetya June 2017)(Citation: Talos Olympic Destroyer 2018)
MITRE
Tactic
- impact
technique
- T1529
Test : Shutdown System - Windows
OS
- windows
Description:
This test shuts down a Windows system.
Executor
command_prompt
Sigma Rule
- proc_creation_win_shutdown_execution.yml (id: 34ebb878-1b15-4895-b352-ca2eeb99b274)