sigmainformationalHunting

System Shutdown/Reboot - Linux

Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.

MITRE ATT&CK

impact

Detection Query

execve:
  type: EXECVE
shutdowncmd:
  - shutdown
  - reboot
  - halt
  - poweroff
init:
  - init
  - telinit
initselection:
  - 0
  - 6
condition: execve and (shutdowncmd or (init and initselection))

Author

Igor Fits, oscd.community

Created

2020-10-15

Data Sources

linuxauditd

Platforms

linux

References

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1529/T1529.md

Tags

attack.impactattack.t1529

Raw Content

title: System Shutdown/Reboot - Linux
id: 4cb57c2f-1f29-41f8-893d-8bed8e1c1d2f
status: test
description: Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1529/T1529.md
author: 'Igor Fits, oscd.community'
date: 2020-10-15
modified: 2022-11-26
tags:
    - attack.impact
    - attack.t1529
logsource:
    product: linux
    service: auditd
detection:
    execve:
        type: 'EXECVE'
    shutdowncmd:
        - 'shutdown'
        - 'reboot'
        - 'halt'
        - 'poweroff'
    init:
        - 'init'
        - 'telinit'
    initselection:
        - 0
        - 6
    condition: execve and (shutdowncmd or (init and initselection))
falsepositives:
    - Legitimate administrative activity
level: informational