Skip to content

DET0559 Multi-Platform Shutdown or Reboot Detection via Execution and Host Status Events

Item Value
ID DET0559
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1529 (System Shutdown/Reboot)

Analytics

Windows

AN1538

Correlate process execution of shutdown/reboot commands (e.g., shutdown.exe, restart-computer) with host status change logs (Event IDs 1074, 6006) and absence of related administrative context (e.g., user not in Helpdesk group).

Log Sources
Data Component Name Channel
Host Status (DC0018) WinEventLog:Security EventCode=1074
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
Mutable Elements
Field Description
UserContext Defines if user has appropriate privileges to initiate shutdown/reboot.
TimeWindow Unexpected shutdowns during business hours may warrant increased scrutiny.

Linux

AN1539

Detect ‘shutdown’, ‘reboot’, or ‘systemctl poweroff’ executions with auditd/syslog and absence of scheduled maintenance windows or approved user context.

Log Sources
Data Component Name Channel
Command Execution (DC0064) auditd:SYSCALL execve=/sbin/shutdown or /sbin/reboot
Host Status (DC0018) linux:syslog system is powering down
Mutable Elements
Field Description
CommandLineMatch Supports multiple binary names or symlinked utilities.
UserContext Privileged user (e.g., root or via sudo) context matching expected roles.

macOS

AN1540

Identify use of ‘shutdown’, ‘reboot’, or ‘osascript’ system shutdown invocations within unified logs and track unexpected shutdown sequences initiated by GUI or script. Cross-reference with user activity or absence thereof.

Log Sources
Data Component Name Channel
Process Creation (DC0032) macos:unifiedlog shutdown -h now or reboot
Host Status (DC0018) macos:unifiedlog System shutdown or reboot requested
Mutable Elements
Field Description
LaunchMechanism Scripted vs interactive shutdowns.
LogGranularity May vary depending on macOS version and unified log verbosity.

ESXi

AN1541

Detect commands such as ‘esxcli system shutdown’ or ‘vim-cmd vmsvc/power.shutdown’ executed outside of maintenance windows or via unusual users. Reboot logs in hostd.log and shell logs should be correlated.

Log Sources
Data Component Name Channel
Host Status (DC0018) esxi:hostd Powering off or restarting host
Command Execution (DC0064) esxi:shell esxcli system shutdown or reboot invoked
Mutable Elements
Field Description
AccountRole Administrative account context validation.
MaintenanceWindow Expected times for reboot/shutdown behavior.

Network Devices

AN1542

Monitor CLI ‘reload’ commands issued without scheduled maintenance, and correlate to TACACS+/AAA logs for privilege validation.

Log Sources
Data Component Name Channel
Command Execution (DC0064) networkdevice:syslog reload command issued
Host Status (DC0018) networkdevice:syslog System reboot scheduled or performed
Mutable Elements
Field Description
PrivilegeLevel TACACS+/AAA role thresholds for command execution.
ChangeTicketCorrelation Track change control windows or ITSM integration.