T1529
System Shutdown/Reboot
Description from ATT&CK
Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. reload).(Citation: Microsoft Shutdown Oct 2017)(Citation: alert_TA18_106A) They may also include shutdown/reboot of a virtual machine via hypervisor / cloud consoles or command line tools.
Shutting down or rebooting systems may disrupt access to computer resources for legitimate users while also impeding incident response/recovery.
Adversaries may also use Windows API functions, such as InitializeSystemShutdownExW or ExitWindowsEx, to force a system to shut down or reboot.(Citation: CrowdStrike Blog)(Citation: Unit42 Agrius 2023) Alternatively, the NtRaiseHardErroror ZwRaiseHardError Windows API functions with the ResponseOption parameter set to OptionShutdownSystem may deliver a “blue screen of death” (BSOD) to a system.(Citation: SonicWall)(Citation: NtRaiseHardError)(Citation: NotMe-BSOD) In order to leverage these API functions, an adversary may need to acquire SeShutdownPrivilege (e.g., via Access Token Manipulation).(Citation: Unit42 Agrius 2023)
In some cases, the system may not be able to boot again.
Adversaries may attempt to shutdown/reboot a system after impacting it in other ways, such as Disk Structure Wipe or Inhibit System Recovery, to hasten the intended effects on system availability.(Citation: Talos Nyetya June 2017)(Citation: Talos Olympic Destroyer 2018)
Tests
Test #1 - Shutdown system (using System Events)
Shuts down the system using the shutdown command from System Events.
⚠️ TCC Requiredtell application "System Events" to shutdownDownload Files
Download .scpt Download .swift Download Binary Download Application BundleTest #2 - Reboot system (using System Events)
Reboots the system using the reboot command from System Events.
⚠️ TCC Requiredtell application "System Events" to rebootDownload Files
Download .scpt Download .swift Download Binary Download Application Bundle