T1529 - System Shutdown/Reboot

Description from ATT&CK (opens in a new tab)

Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (opens in a new tab) (e.g. reload).(Citation: Microsoft Shutdown Oct 2017)(Citation: alert_TA18_106A) They may also include shutdown/reboot of a virtual machine via hypervisor / cloud consoles or command line tools.

Shutting down or rebooting systems may disrupt access to computer resources for legitimate users while also impeding incident response/recovery.

Adversaries may attempt to shutdown/reboot a system after impacting it in other ways, such as Disk Structure Wipe (opens in a new tab) or Inhibit System Recovery (opens in a new tab), to hasten the intended effects on system availability.(Citation: Talos Nyetya June 2017)(Citation: Talos Olympic Destroyer 2018)

Atomic Tests

• Atomic Test #1 - Shutdown System - Windows

• Atomic Test #2 - Restart System - Windows

• Atomic Test #3 - Restart System via shutdown - FreeBSD/macOS/Linux

• Atomic Test #4 - Shutdown System via shutdown - FreeBSD/macOS/Linux

• Atomic Test #5 - Restart System via reboot - FreeBSD/macOS/Linux

• Atomic Test #6 - Shutdown System via halt - FreeBSD/Linux

• Atomic Test #7 - Reboot System via halt - FreeBSD

• Atomic Test #8 - Reboot System via halt - Linux

• Atomic Test #9 - Shutdown System via poweroff - FreeBSD/Linux

• Atomic Test #10 - Reboot System via poweroff - FreeBSD

• Atomic Test #11 - Reboot System via poweroff - Linux

• Atomic Test #12 - Logoff System - Windows

• Atomic Test #13 - ESXi - Terminates VMs using pkill

• Atomic Test #14 - ESXi - Avoslocker enumerates VMs and forcefully kills VMs

• Atomic Test #15 - ESXi - vim-cmd Used to Power Off VMs

Atomic Test #1 - Shutdown System - Windows

This test shuts down a Windows system.

Supported Platforms: Windows

auto_generated_guid: ad254fa8-45c0-403b-8c77-e00b3d3e7a64

Inputs:

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

shutdown /s /t #{timeout}

Atomic Test #2 - Restart System - Windows

This test restarts a Windows system.

Supported Platforms: Windows

auto_generated_guid: f4648f0d-bf78-483c-bafc-3ec99cd1c302

Inputs:

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

shutdown /r /t #{timeout}

Atomic Test #3 - Restart System via shutdown - FreeBSD/macOS/Linux

This test restarts a FreeBSD/macOS/Linux system.

Supported Platforms: Linux, macOS

auto_generated_guid: 6326dbc4-444b-4c04-88f4-27e94d0327cb

Inputs:

Attack Commands: Run with sh! Elevation Required (e.g. root or admin)

shutdown -r #{timeout}

Atomic Test #4 - Shutdown System via shutdown - FreeBSD/macOS/Linux

This test shuts down a FreeBSD/macOS/Linux system using a halt.

Supported Platforms: Linux, macOS

auto_generated_guid: 4963a81e-a3ad-4f02-adda-812343b351de

Inputs:

Attack Commands: Run with sh! Elevation Required (e.g. root or admin)

shutdown -h #{timeout}

Atomic Test #5 - Restart System via reboot - FreeBSD/macOS/Linux

This test restarts a FreeBSD/macOS/Linux system via reboot.

Supported Platforms: Linux, macOS

auto_generated_guid: 47d0b042-a918-40ab-8cf9-150ffe919027

Attack Commands: Run with sh! Elevation Required (e.g. root or admin)

reboot

Atomic Test #6 - Shutdown System via halt - FreeBSD/Linux

This test shuts down a FreeBSD/Linux system using halt.

Supported Platforms: Linux

auto_generated_guid: 918f70ab-e1ef-49ff-bc57-b27021df84dd

Attack Commands: Run with sh! Elevation Required (e.g. root or admin)

halt -p

Atomic Test #7 - Reboot System via halt - FreeBSD

This test restarts a FreeBSD system using halt.

Supported Platforms: Linux

auto_generated_guid: 7b1cee42-320f-4890-b056-d65c8b884ba5

Attack Commands: Run with sh! Elevation Required (e.g. root or admin)

halt -r

Atomic Test #8 - Reboot System via halt - Linux

This test restarts a Linux system using halt.

Supported Platforms: Linux

auto_generated_guid: 78f92e14-f1e9-4446-b3e9-f1b921f2459e

Attack Commands: Run with bash! Elevation Required (e.g. root or admin)

halt --reboot

Atomic Test #9 - Shutdown System via poweroff - FreeBSD/Linux

This test shuts down a FreeBSD/Linux system using poweroff.

Supported Platforms: Linux

auto_generated_guid: 73a90cd2-48a2-4ac5-8594-2af35fa909fa

Attack Commands: Run with sh! Elevation Required (e.g. root or admin)

poweroff

Atomic Test #10 - Reboot System via poweroff - FreeBSD

This test restarts a FreeBSD system using poweroff.

Supported Platforms: Linux

auto_generated_guid: 5a282e50-86ff-438d-8cef-8ae01c9e62e1

Attack Commands: Run with sh! Elevation Required (e.g. root or admin)

poweroff -r 3

Atomic Test #11 - Reboot System via poweroff - Linux

This test restarts a Linux system using poweroff.

Supported Platforms: Linux

auto_generated_guid: 61303105-ff60-427b-999e-efb90b314e41

Attack Commands: Run with bash! Elevation Required (e.g. root or admin)

poweroff --reboot

Atomic Test #12 - Logoff System - Windows

This test performs a Windows system logoff as seen in dcrat backdoor capabilities (opens in a new tab)

Supported Platforms: Windows

auto_generated_guid: 3d8c25b5-7ff5-4c9d-b21f-85ebd06654a4

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

shutdown /l

Atomic Test #13 - ESXi - Terminates VMs using pkill

In VMWARE ESXi, process names starting with vmx are associated with running VMs. An adversary can use the pkill command to kill all processes with a prefix vmx. Reference (opens in a new tab)

Supported Platforms: Windows

auto_generated_guid: 987c9b4d-a637-42db-b1cb-e9e242c3991b

Inputs:

Attack Commands: Run with command_prompt!

echo "" | "#{plink_file}" "#{vm_host}" -ssh  -l "#{vm_user}" -pw "#{vm_pass}" -m "#{cli_script}"

Dependencies: Run with powershell!

Description: Check if plink is available.

Check Prereq Commands:

if (Test-Path "#{plink_file}") {exit 0} else {exit 1}

Get Prereq Commands:

New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"

Atomic Test #14 - ESXi - Avoslocker enumerates VMs and forcefully kills VMs

Avoslocker malware has inbuilt functionality to enumerate the VM instances and uses the esxcli command to forcefully power off them. Reference (opens in a new tab)

Supported Platforms: Windows

auto_generated_guid: 189f7d6e-9442-4160-9bc3-5e4104d93ece

Inputs:

Attack Commands: Run with command_prompt!

echo "" | "#{plink_file}" "#{vm_host}" -ssh  -l "#{vm_user}" -pw "#{vm_pass}" -m "#{cli_script}"

Dependencies: Run with powershell!

Description: Check if plink is available.

Check Prereq Commands:

if (Test-Path "#{plink_file}") {exit 0} else {exit 1}

Get Prereq Commands:

New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"

Atomic Test #15 - ESXi - vim-cmd Used to Power Off VMs

Adversaries may power off VMs to facilitate the deployment of ransomware payloads. Reference (opens in a new tab)

Supported Platforms: Windows

auto_generated_guid: 622cc1a0-45e7-428c-aed7-c96dd605fbe6

Inputs:

Attack Commands: Run with command_prompt!

echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "for i in `vim-cmd vmsvc/getallvms | awk 'NR>1 {print $1}'`; do vim-cmd vmsvc/power.off $i & done"

Dependencies: Run with powershell!

Description: Check if we have plink

Check Prereq Commands:

if (Test-Path "#{plink_file}") {exit 0} else {exit 1}

Get Prereq Commands:

New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"