T1529Techniqueimpactagent-callable

T1529System Shutdown/Reboot

Platforms: Linux · macOS · Windows · Network

ATT&CK version: 14.1

What it is

Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) (e.g. <code>reload</code>).(Citation: Microsoft Shutdown Oct 2017)(Citation: alert_TA18_106A) Shutting down or rebooting systems may disrupt access to computer resources for legitimate users while also impeding incident response/recovery. Adversaries may attempt to shutdown/reboot a system after impacting it in other ways, such as [Disk Structure Wipe](https://attack.mitre.org/techniques/T1561/002) or [Inhibit System Recovery](https://attack.mitre.org/techniques/T1490), to hasten the intended effects on system availability.(Citation: Talos Nyetya June 2017)(Citation: Talos Olympic Destroyer 2018)

ATT&CK tactics· 1

Impact

References

  1. https://attack.mitre.org/techniques/T1529
  2. https://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html
  3. https://www.cisa.gov/uscert/ncas/alerts/TA18-106A
  4. https://blog.talosintelligence.com/2018/02/olympic-destroyer.html
  5. https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/shutdown
Sourced from MITRE ATT&CK Enterprise v14.1. Curated and contextualized for EU compliance use cases by Adam Lundqvist, Founder at SQUR.