Skip to content

T1529 System Shutdown/Reboot

Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. reload).42

Shutting down or rebooting systems may disrupt access to computer resources for legitimate users while also impeding incident response/recovery.

Adversaries may attempt to shutdown/reboot a system after impacting it in other ways, such as Disk Structure Wipe or Inhibit System Recovery, to hasten the intended effects on system availability.13

Item Value
ID T1529
Sub-techniques
Tactics TA0040
Platforms Linux, Network, Windows, macOS
Version 1.3
Created 04 October 2019
Last Modified 22 March 2023

Procedure Examples

ID Name Description
G0067 APT37 APT37 has used malware that will issue the command shutdown /r /t 1 to reboot a system after wiping its MBR.17
G0082 APT38 APT38 has used a custom MBR wiper named BOOTWRECK, which will initiate a system reboot after wiping the victim’s MBR.18
S1053 AvosLocker AvosLocker’s Linux variant has terminated ESXi virtual machines.12
S1033 DCSrv DCSrv has a function to sleep for two hours before rebooting the system.9
S0697 HermeticWiper HermeticWiper can initiate a system shutdown.78
S0607 KillDisk KillDisk attempts to reboot the machine by terminating specific processes.11
G0032 Lazarus Group Lazarus Group has rebooted systems after destroying files and wiping the MBR on infected systems.19
S0372 LockerGoga LockerGoga has been observed shutting down infected systems.13
S0582 LookBack LookBack can shutdown and reboot the victim machine.16
S0449 Maze Maze has issued a shutdown command on a victim machine that, upon reboot, will run the ransomware within a VM.10
S0368 NotPetya NotPetya will reboot the system one hour after infection.16
S0365 Olympic Destroyer Olympic Destroyer will shut down the compromised system after it is done modifying system configuration settings.36
S0140 Shamoon Shamoon will reboot the infected system once the wiping functionality has been completed.1415
S0689 WhisperGate WhisperGate can shutdown a compromised host through execution of ExitWindowsEx with the EXW_SHUTDOWN flag.5

Detection

ID Data Source Data Component
DS0017 Command Command Execution
DS0009 Process Process Creation
DS0013 Sensor Health Host Status

References

  1. Chiu, A. (2016, June 27). New Ransomware Variant “Nyetya” Compromises Systems Worldwide. Retrieved March 26, 2019. 

  2. CISA. (2018, April 20). Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved February 14, 2022. 

  3. Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer Takes Aim At Winter Olympics. Retrieved March 14, 2019. 

  4. Microsoft. (2017, October 15). Shutdown. Retrieved October 4, 2019. 

  5. Biasini, N. et al.. (2022, January 21). Ukraine Campaign Delivers Defacement and Wipers, in Continued Escalation. Retrieved March 14, 2022. 

  6. Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020. 

  7. Guerrero-Saade, J. (2022, February 23). HermeticWiper | New Destructive Malware Used In Cyber Attacks on Ukraine. Retrieved March 25, 2022. 

  8. Dani, M. (2022, March 1). Ukrainian Targets Hit by HermeticWiper, New Datawiper Malware. Retrieved March 25, 2022. 

  9. Checkpoint Research. (2021, November 15). Uncovering MosesStaff techniques: Ideology over Money. Retrieved August 11, 2022. 

  10. Brandt, A., Mackenzie, P.. (2020, September 17). Maze Attackers Adopt Ragnar Locker Virtual Machine Technique. Retrieved October 9, 2020. 

  11. Gilbert Sison, Rheniel Ramos, Jay Yaneza, Alfredo Oliveira. (2018, January 15). KillDisk Variant Hits Latin American Financial Groups. Retrieved January 12, 2021. 

  12. Trend Micro Research. (2022, April 4). Ransomware Spotlight AvosLocker. Retrieved January 11, 2023. 

  13. Greenberg, A. (2019, March 25). A Guide to LockerGoga, the Ransomware Crippling Industrial Firms. Retrieved July 17, 2019. 

  14. Falcone, R. (2018, December 13). Shamoon 3 Targets Oil and Gas Organization. Retrieved March 14, 2019. 

  15. Mundo, A., Roccia, T., Saavedra-Morales, J., Beek, C.. (2018, December 14). Shamoon Returns to Wipe Systems in Middle East, Europe . Retrieved May 29, 2020. 

  16. Raggi, M. Schwarz, D.. (2019, August 1). LookBack Malware Targets the United States Utilities Sector with Phishing Attacks Impersonating Engineering Licensing Boards. Retrieved February 25, 2021. 

  17. Mercer, W., Rascagneres, P. (2018, January 16). Korea In The Crosshairs. Retrieved May 21, 2018. 

  18. FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 6, 2018. 

  19. US-CERT. (2018, March 09). Malware Analysis Report (MAR) - 10135536.11.WHITE. Retrieved June 13, 2018.