Ctrl+K

T1529 - System Shutdown/Reboot

T1529 - System Shutdown/Reboot#

Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. reload).(Citation: Microsoft Shutdown Oct 2017)(Citation: alert_TA18_106A)

Shutting down or rebooting systems may disrupt access to computer resources for legitimate users while also impeding incident response/recovery.

Adversaries may attempt to shutdown/reboot a system after impacting it in other ways, such as Disk Structure Wipe or Inhibit System Recovery, to hasten the intended effects on system availability.(Citation: Talos Nyetya June 2017)(Citation: Talos Olympic Destroyer 2018)

Atomic Tests#

Atomic Test #1 - Shutdown System - WindowsThis test shuts down a Windows system.#

Supported Platforms: windows Elevation Required (e.g. root or admin)#### Attack Commands: Run with command_prompt

shutdown /s /t 1

Invoke-AtomicTest T1529 -TestNumbers 1

Atomic Test #2 - Restart System - WindowsThis test restarts a Windows system.#

Supported Platforms: windows Elevation Required (e.g. root or admin)#### Attack Commands: Run with command_prompt

shutdown /r /t 1

Invoke-AtomicTest T1529 -TestNumbers 2

Atomic Test #3 - Restart System via shutdown - FreeBSD/macOS/LinuxThis test restarts a FreeBSD/macOS/Linux system.#

Supported Platforms: linux, macos Elevation Required (e.g. root or admin)#### Attack Commands: Run with sh

shutdown -r now

Invoke-AtomicTest T1529 -TestNumbers 3

Atomic Test #4 - Shutdown System via shutdown - FreeBSD/macOS/LinuxThis test shuts down a FreeBSD/macOS/Linux system using a halt.#

Supported Platforms: linux, macos Elevation Required (e.g. root or admin)#### Attack Commands: Run with sh

shutdown -h now

Invoke-AtomicTest T1529 -TestNumbers 4

Atomic Test #5 - Restart System via reboot - FreeBSD/macOS/LinuxThis test restarts a FreeBSD/macOS/Linux system via reboot.#

Supported Platforms: linux, macos Elevation Required (e.g. root or admin)#### Attack Commands: Run with sh

reboot

Invoke-AtomicTest T1529 -TestNumbers 5

Atomic Test #6 - Shutdown System via halt - FreeBSD/LinuxThis test shuts down a FreeBSD/Linux system using halt.#

Supported Platforms: linux Elevation Required (e.g. root or admin)#### Attack Commands: Run with sh

halt -p

Invoke-AtomicTest T1529 -TestNumbers 6

Atomic Test #7 - Reboot System via halt - FreeBSDThis test restarts a FreeBSD system using halt.#

Supported Platforms: linux Elevation Required (e.g. root or admin)#### Attack Commands: Run with sh

halt -r

Invoke-AtomicTest T1529 -TestNumbers 7

Atomic Test #8 - Reboot System via halt - LinuxThis test restarts a Linux system using halt.#

Supported Platforms: linux Elevation Required (e.g. root or admin)#### Attack Commands: Run with bash

halt --reboot

Invoke-AtomicTest T1529 -TestNumbers 8

Atomic Test #9 - Shutdown System via poweroff - FreeBSD/LinuxThis test shuts down a FreeBSD/Linux system using poweroff.#

Supported Platforms: linux Elevation Required (e.g. root or admin)#### Attack Commands: Run with sh

poweroff

Invoke-AtomicTest T1529 -TestNumbers 9

Atomic Test #10 - Reboot System via poweroff - FreeBSDThis test restarts a FreeBSD system using poweroff.#

Supported Platforms: linux Elevation Required (e.g. root or admin)#### Attack Commands: Run with sh

poweroff -r 3

Invoke-AtomicTest T1529 -TestNumbers 10

Atomic Test #11 - Reboot System via poweroff - LinuxThis test restarts a Linux system using poweroff.#

Supported Platforms: linux Elevation Required (e.g. root or admin)#### Attack Commands: Run with bash

poweroff --reboot

Invoke-AtomicTest T1529 -TestNumbers 11

Atomic Test #12 - Logoff System - WindowsThis test performs a Windows system logoff as seen in dcrat backdoor capabilities#

Supported Platforms: windows Elevation Required (e.g. root or admin)#### Attack Commands: Run with command_prompt

shutdown /l 

Invoke-AtomicTest T1529 -TestNumbers 12

Detection#

Use process monitoring to monitor the execution and command line parameters of binaries involved in shutting down or rebooting systems. Windows event logs may also designate activity associated with a shutdown/reboot, ex. Event ID 1074 and 6006. Unexpected or unauthorized commands from network cli on network devices may also be associated with shutdown/reboot, e.g. the reload command.

Shield Active Defense#

Decoy System#

Configure a computing system to serve as an attack target or experimental environment.

A decoy system is a computing resource presented to the adversary in support of active defense. The underlying system can be real, virtual, or simulated, and can be presented as one of a variety of IT devices including user workstations, servers, networking systems, IOT (embedded devices), mobile systems like phones, etc.

Opportunity#

There is an opportunity to study the adversary and collect first-hand observations about them and their tools.

Use Case#

A defender can deploy a decoy system to see if an adversary attempts to shutdown or reboot the device.

Procedures#

Use an isolated system to visit a suspected compromised website. Collect any associated scripting code or files dropped onto the system. Setup a server which appears to be something that is commonly expected within a network, such as web server.

Contents