T1529.md

T1529 - System Shutdown/Reboot

Description from ATT&CK

Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.(Citation: Microsoft Shutdown Oct 2017) Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.

Adversaries may attempt to shutdown/reboot a system after impacting it in other ways, such as Disk Structure Wipe or Inhibit System Recovery, to hasten the intended effects on system availability.(Citation: Talos Nyetya June 2017)(Citation: Talos Olympic Destroyer 2018)

Atomic Tests

• Atomic Test #1 - Shutdown System - Windows

• Atomic Test #2 - Restart System - Windows

• Atomic Test #3 - Restart System via shutdown - macOS/Linux

• Atomic Test #4 - Shutdown System via shutdown - macOS/Linux

• Atomic Test #5 - Restart System via reboot - macOS/Linux

• Atomic Test #6 - Shutdown System via halt - Linux

• Atomic Test #7 - Reboot System via halt - Linux

• Atomic Test #8 - Shutdown System via poweroff - Linux

• Atomic Test #9 - Reboot System via poweroff - Linux

Atomic Test #1 - Shutdown System - Windows

This test shuts down a Windows system.

Supported Platforms: Windows

Inputs:

Name	Description	Type	Default Value
timeout	Timeout period before shutdown (seconds)	string	1

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

shutdown /s /t #{timeout}

Atomic Test #2 - Restart System - Windows

This test restarts a Windows system.

Supported Platforms: Windows

Inputs:

Name	Description	Type	Default Value
timeout	Timeout period before restart (seconds)	string	1

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

shutdown /r /t #{timeout}

Atomic Test #3 - Restart System via shutdown - macOS/Linux

This test restarts a macOS/Linux system.

Supported Platforms: macOS, Linux

Inputs:

Name	Description	Type	Default Value
timeout	Time to restart (can be minutes or specific time)	string	now

Attack Commands: Run with bash! Elevation Required (e.g. root or admin)

shutdown -r #{timeout}

Atomic Test #4 - Shutdown System via shutdown - macOS/Linux

This test shuts down a macOS/Linux system using a halt.

Supported Platforms: macOS, Linux

Inputs:

Name	Description	Type	Default Value
timeout	Time to shutdown (can be minutes or specific time)	string	now

Attack Commands: Run with bash! Elevation Required (e.g. root or admin)

shutdown -h #{timeout}

Atomic Test #5 - Restart System via reboot - macOS/Linux

This test restarts a macOS/Linux system via reboot.

Supported Platforms: macOS, Linux

Attack Commands: Run with bash! Elevation Required (e.g. root or admin)

reboot

Atomic Test #6 - Shutdown System via halt - Linux

This test shuts down a Linux system using halt.

Supported Platforms: Linux

Attack Commands: Run with bash! Elevation Required (e.g. root or admin)

halt -p

Atomic Test #7 - Reboot System via halt - Linux

This test restarts a Linux system using halt.

Supported Platforms: Linux

Attack Commands: Run with bash! Elevation Required (e.g. root or admin)

halt --reboot

Atomic Test #8 - Shutdown System via poweroff - Linux

This test shuts down a Linux system using poweroff.

Supported Platforms: Linux

Attack Commands: Run with bash! Elevation Required (e.g. root or admin)

poweroff

Atomic Test #9 - Reboot System via poweroff - Linux

This test restarts a Linux system using poweroff.

Supported Platforms: Linux

Attack Commands: Run with bash! Elevation Required (e.g. root or admin)

poweroff --reboot