System Shutdown/Reboot (T1529) is a MITRE ATT&CK technique in the Impact tactic. SOC analysts detect it by monitoring for SIEM, XDR events, behavioral anomalies, and the specific indicators described in this detection guide. Practice detection in SOCSimulator Operations.
Adversaries may shutdown or reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating system or hardware may be targeted for disruption or to aid in other tactics such as firmware corruption. Shutting down or rebooting systems may disrupt access to computer resources for legitimate users while continuing to allow the adversary's access via remote services. Adversaries may attempt to shutdown or reboot a system after implanting a bootloader or modifying disk data to make the system inoperable. Rebooting systems can also be used to force firmware or configuration changes to take effect, to clear memory contents including residual malware, or to trigger persistence mechanisms that only activate on startup. In denial of service contexts, forced shutdowns and reboots of critical infrastructure systems can cause operational disruption and physical world impacts.
“System Shutdown/Reboot is documented as technique T1529 in the MITRE ATT&CK knowledge base under the Impact tactic. Detection requires visibility into SIEM, XDR telemetry.”
The following detection strategies help SOC analysts identify System Shutdown/Reboot activity. These methods apply across SIEM, XDR environments and can be implemented as detection rules, correlation queries, or behavioral analytics in your security platform.
Monitor for unauthorized shutdown and reboot commands executed via command line or scripts, particularly those targeting multiple systems simultaneously or using force flags that override user sessions.
Alert on shutdown events initiated from remote sessions or by processes that do not normally perform system shutdown operations, correlating with prior suspicious activity to assess whether it is part of an attack chain.
Detect scheduled shutdown tasks created by attackers to trigger system shutdowns at specific times, which may be used to time reboots to coincide with attack phases or to cover tracks after completing attack objectives.
Monitor for shutdown events on critical infrastructure including domain controllers, core servers, and operational technology systems, as these may have disproportionate impact on business operations.
Correlate shutdown events with other attack indicators including credential theft, lateral movement, and destructive payload execution to determine whether shutdowns are being used as part of a coordinated impact operation.
These realistic alert examples show what System Shutdown/Reboot looks like in your security tools. Use them to tune detection rules and train analysts to recognize true positives versus false positives in live environments.
WMI used to execute shutdown /s /f /t 0 on 156 systems simultaneously across all network segments. The command was issued by a compromised domain admin account from an external IP address using PowerShell remoting. The simultaneous shutdown of 156 systems including all file servers, application servers, and workstations represents a significant business disruption event consistent with a coordinated destructive attack.
Domain controller DC-PRIMARY-01 rebooted via remote management interface. The reboot command was issued by the IPMI interface using default credentials that have not been changed from factory settings. The reboot occurred 3 minutes after a failed attempt to access the domain controller filesystem remotely. This action may have been intended to trigger a bootkit or to deny authentication services during a wider attack.
Scheduled tasks created on 12 servers simultaneously at 11:47 PM to trigger forced system shutdown at 02:00 AM. The tasks were created by a service account that gained elevated privileges through a vulnerability. The 2:00 AM timing suggests the attacker plans to complete their operation and trigger shutdowns to delay incident response during the early morning period when monitoring coverage is reduced.
SOCSimulator provides hands-on training rooms where you investigate real-world attack scenarios including System Shutdown/Reboot. Build detection skills with zero consequences — free forever.
Ransomware is malware that encrypts victim data or systems and demands payment (typically cryptocurrency) for the decryp…
Read more GlossaryIncident response (IR) is the structured process for preparing for, detecting, containing, eradicating, recovering from,…
Read more GlossaryContainment is the incident response phase focused on limiting the spread and impact of a confirmed security incident: i…
Read more GlossaryRecovery is the incident response phase where normal business operations are restored: affected systems return to produc…
Read more Career PathIncident Responders lead the technical response when confirmed breaches happen. You coordinate containment, run forensic…
Read more Career PathSOC Managers run the operation. You own staffing, playbook development, tool selection, performance metrics, and executi…
Read more ToolThe SIEM console in SOCSimulator replicates the workflow of enterprise platforms like Splunk Enterprise Security, Micros…
Read more ToolThe XDR console in SOCSimulator replicates the investigation workflow of platforms like CrowdStrike Falcon, Microsoft De…
Read more ComparisonSOCSimulator wins on operational realism. You get multi-tool shift simulation with SLA pressure, noise injection, and al…
Read more ComparisonSOCSimulator is the better tool for dedicated SOC analyst preparation. TryHackMe is the better tool for broad cybersecur…
Read more GlossaryComplete glossary of Security Operations Center terminology for aspiring SOC analysts.
Read more FeaturePractice alert triage under realistic time pressure with SLA timers and noise injection.
Read moreWe use cookies to improve your experience and measure usage. Learn more