Which SIEM platforms have a T1529 detection rule?

df00tech provides T1529 (System Shutdown/Reboot) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect System Shutdown/Reboot (T1529)?

Detecting System Shutdown/Reboot requires the following data sources: Process: Process Creation, Command: Command Execution, Microsoft Defender for Endpoint.

What severity and confidence is the T1529 detection?

The T1529 detection is rated high severity with medium confidence.

What are common false positives for T1529?

Common false positives for T1529 include: System administrators performing scheduled maintenance reboots via RMM agents (ConnectWise Control, Kaseya VSA, TeamViewer) — these typically spawn from the RMM agent process, not scripting hosts; Windows Update process initiating reboots after patch installation — typically initiated by TrustedInstaller or svchost.exe with wuauserv service tag, with long /t timeout values; Configuration management and patch automation platforms (Ansible WinRM, SCCM, Intune) executing shutdown commands as part of deployment or patch cycles — usually from known service accounts at scheduled times.

T1529

System Shutdown/Reboot

Impact Last updated: April 20, 2026

Adversaries may shutdown or reboot systems to interrupt access to, or aid in the destruction of, those systems. Shutdown and reboot commands exist across all major operating systems and may be invoked locally or remotely. Adversaries commonly pair T1529 with destructive techniques such as disk wiping (T1561) or inhibiting system recovery (T1490) to force destructive effects to take hold after reboot renders the system unbootable. Windows API functions including ExitWindowsEx, InitiateSystemShutdown, NtRaiseHardError, and ZwRaiseHardError are abused to programmatically force shutdowns or trigger blue screens of death (BSOD). Observed extensively in destructive malware: LockerGoga, Olympic Destroyer, WhisperGate (ExitWindowsEx with EWX_SHUTDOWN), AcidRain, AcidPour, Apostle, DCSrv, MultiLayer Wiper, BFG Agonizer (NtRaiseHardError BSOD), and Qilin ransomware targeting backup servers.

What is T1529 System Shutdown/Reboot?

System Shutdown/Reboot (T1529) maps to the Impact tactic — the adversary is trying to manipulate, interrupt, or destroy your systems and data in MITRE ATT&CK.

This page provides production-ready detection logic for System Shutdown/Reboot, covering the data sources and telemetry it touches: Process: Process Creation, Command: Command Execution, Microsoft Defender for Endpoint. The queries below are rated high severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic: Impact
Technique: T1529 System Shutdown/Reboot
Canonical reference: https://attack.mitre.org/techniques/T1529/

Microsoft Sentinel / Defender

kusto

let SuspiciousParents = dynamic(["cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "mshta.exe", "regsvr32.exe", "rundll32.exe", "msiexec.exe"]);
// Branch 1: Windows shutdown.exe
let WindowsShutdown = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "shutdown.exe"
| where ProcessCommandLine has_any ("/s", "/r", "-s", "-r")
| extend ImmediateShutdown = ProcessCommandLine has "/t 0" or ProcessCommandLine has "-t 0"
| extend ForcedShutdown = ProcessCommandLine has "/f" or ProcessCommandLine has "-f"
| extend RemoteShutdown = ProcessCommandLine has "/m"
| extend SuspiciousParent = InitiatingProcessFileName in~ (SuspiciousParents)
| extend RiskScore = toint(ImmediateShutdown) + toint(ForcedShutdown) + toint(SuspiciousParent) * 2
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         ImmediateShutdown, ForcedShutdown, RemoteShutdown, SuspiciousParent, RiskScore,
         DetectionBranch="WindowsShutdownExe";
// Branch 2: PowerShell Windows API abuse (ExitWindowsEx, NtRaiseHardError)
let PowerShellAPIAbuse = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has_any (
    "ExitWindowsEx", "InitiateSystemShutdown", "InitializeSystemShutdownExW",
    "NtRaiseHardError", "ZwRaiseHardError",
    "EWX_SHUTDOWN", "EWX_REBOOT", "EWX_POWEROFF",
    "OptionShutdownSystem", "SeShutdownPrivilege"
  )
| extend ImmediateShutdown = true
| extend ForcedShutdown = true
| extend RemoteShutdown = false
| extend SuspiciousParent = true
| extend RiskScore = 4
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         ImmediateShutdown, ForcedShutdown, RemoteShutdown, SuspiciousParent, RiskScore,
         DetectionBranch="PowerShellAPIAbuse";
// Branch 3: Linux/macOS shutdown utilities
let LinuxMacShutdown = DeviceProcessEvents
| where Timestamp > ago(24h)
| where (
    (FileName in~ ("shutdown", "reboot", "halt", "poweroff"))
    or (FileName =~ "systemctl" and ProcessCommandLine has_any ("poweroff", "reboot", "halt", "shutdown"))
    or (FileName =~ "init" and ProcessCommandLine matches regex @"\s[06]$")
  )
| where DeviceOSPlatform in~ ("Linux", "macOS")
| extend ImmediateShutdown = ProcessCommandLine has_any ("-t 0", "now", "+0")
| extend ForcedShutdown = ProcessCommandLine has_any ("-f", "--force")
| extend RemoteShutdown = false
| extend SuspiciousParent = InitiatingProcessFileName in~ (SuspiciousParents)
| extend RiskScore = toint(ImmediateShutdown) + toint(ForcedShutdown) + toint(SuspiciousParent) * 2
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         ImmediateShutdown, ForcedShutdown, RemoteShutdown, SuspiciousParent, RiskScore,
         DetectionBranch="LinuxMacShutdown";
WindowsShutdown
| union PowerShellAPIAbuse
| union LinuxMacShutdown
| where RiskScore >= 1
| sort by RiskScore desc, Timestamp desc

Detects system shutdown and reboot commands across Windows, Linux, and macOS using Microsoft Defender for Endpoint DeviceProcessEvents. Three detection branches cover: (1) Windows shutdown.exe with /s or /r flags, scored higher for /t 0 (immediate), /f (forced), or suspicious initiating process; (2) PowerShell invoking shutdown-related Windows API functions — ExitWindowsEx, NtRaiseHardError, ZwRaiseHardError, InitiateSystemShutdown — a near-zero false-positive indicator used by WhisperGate and BFG Agonizer; (3) Linux/macOS shutdown, reboot, halt, poweroff, and systemctl poweroff/reboot. Risk scoring allows threshold tuning: RiskScore 1 for routine shutdown commands, 3+ for forced/immediate, 4 for API abuse. Filter to RiskScore >= 3 in high-volume environments.

high severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

System administrators performing scheduled maintenance reboots via RMM agents (ConnectWise Control, Kaseya VSA, TeamViewer) — these typically spawn from the RMM agent process, not scripting hosts
Windows Update process initiating reboots after patch installation — typically initiated by TrustedInstaller or svchost.exe with wuauserv service tag, with long /t timeout values
Configuration management and patch automation platforms (Ansible WinRM, SCCM, Intune) executing shutdown commands as part of deployment or patch cycles — usually from known service accounts at scheduled times
Hypervisor guest agents (VMware Tools vmtoolsd.exe, VirtualBox additions) performing coordinated shutdown during snapshot or migration operations
Legitimate helpdesk personnel remotely rebooting endpoints via shutdown /m after troubleshooting sessions — identifiable by the /r flag (reboot, not shutdown) and corresponding helpdesk ticket

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
(
  (Image="*\\shutdown.exe" AND (CommandLine="*/s *" OR CommandLine="*/r *" OR CommandLine="*-s *" OR CommandLine="*-r *" OR CommandLine="*/s" OR CommandLine="*/r"))
  OR ((Image="*\\powershell.exe" OR Image="*\\pwsh.exe")
      AND (CommandLine="*ExitWindowsEx*" OR CommandLine="*InitiateSystemShutdown*" OR CommandLine="*NtRaiseHardError*"
           OR CommandLine="*ZwRaiseHardError*" OR CommandLine="*EWX_SHUTDOWN*" OR CommandLine="*EWX_REBOOT*"
           OR CommandLine="*OptionShutdownSystem*" OR CommandLine="*SeShutdownPrivilege*"))
  OR (match(Image, "/(shutdown|reboot|halt|poweroff)$") AND NOT match(Image, "\.exe$"))
  OR (Image="*/systemctl" AND (CommandLine="*poweroff*" OR CommandLine="*reboot*" OR CommandLine="*halt*"))
)
| eval IsWindowsShutdownExe=if(match(Image, "\\\\shutdown\.exe$"), 1, 0)
| eval IsPowerShellAPI=if(match(lower(CommandLine), "(exitwindowsex|initiatesystemshutdown|initializesystemshutdownexw|ntraiseharderror|zwraiseharderror|ewx_shutdown|ewx_reboot|ewx_poweroff|optionshutdownsystem|seshutdownprivilege)"), 1, 0)
| eval IsLinuxMacShutdown=if(match(Image, "/(shutdown|reboot|halt|poweroff|systemctl)$") AND NOT match(Image, "\.exe"), 1, 0)
| eval ImmediateShutdown=if(match(CommandLine, "(/t\s*0|-t\s*0|\bnow\b|\+0)"), 1, 0)
| eval ForcedShutdown=if(match(CommandLine, "(/f[\s"]|-f[\s"]|--force)"), 1, 0)
| eval RemoteShutdown=if(match(CommandLine, "(/m\s|/m\\\\)"), 1, 0)
| eval SuspiciousParent=if(match(ParentImage, "(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|regsvr32\.exe|rundll32\.exe|msiexec\.exe)"), 1, 0)
| eval RiskScore=IsWindowsShutdownExe + (IsPowerShellAPI * 4) + ImmediateShutdown + ForcedShutdown + (SuspiciousParent * 2) + RemoteShutdown
| where RiskScore >= 1
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine,
        IsWindowsShutdownExe, IsPowerShellAPI, IsLinuxMacShutdown,
        ImmediateShutdown, ForcedShutdown, RemoteShutdown, SuspiciousParent, RiskScore
| sort - RiskScore - _time

Detects system shutdown and reboot commands using Sysmon Event ID 1 (Process Creation). Four detection branches covering Windows shutdown.exe, PowerShell Windows API abuse (ExitWindowsEx, NtRaiseHardError, ZwRaiseHardError), and Linux/macOS shutdown utilities (shutdown, reboot, halt, poweroff, systemctl). Risk scoring: PowerShell API abuse scores 4 baseline (near-zero false positive rate), suspicious parent process scores +2, immediate (/t 0 or 'now') and forced (/f) flags each score +1. Events with RiskScore >= 3 warrant immediate escalation; >= 5 indicates confirmed malicious pattern. Tune threshold in high-volume environments by raising minimum RiskScore.

high severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

System administrators performing scheduled maintenance reboots via RMM agents — identifiable by known RMM agent parent processes (ConnectWise, Kaseya, TeamViewer) at expected maintenance windows
Windows Update reboots — parent process is typically TrustedInstaller or svchost.exe with long timeout values and predictable scheduling
Configuration management platforms (Ansible, SCCM, Intune) executing shutdown commands during patch cycles — known service accounts at scheduled times
Hypervisor guest agents performing coordinated shutdown during snapshot or live migration operations
Legitimate helpdesk remote reboot sessions — correlate with ticketing system records and RMM session logs

Elastic Security (EQL)

eql

sequence by host.name with maxspan=5m
[
  any where event.category == "process" and event.type == "start" and
  (
    (process.name : "shutdown.exe" and process.args : ("/s", "/r", "-s", "-r"))
    or
    (process.name : ("powershell.exe", "pwsh.exe") and
     process.args : ("ExitWindowsEx", "InitiateSystemShutdown", "InitiateSystemShutdownExW",
                     "NtRaiseHardError", "ZwRaiseHardError",
                     "EWX_SHUTDOWN", "EWX_REBOOT", "EWX_POWEROFF",
                     "OptionShutdownSystem", "SeShutdownPrivilege"))
    or
    (process.name : ("shutdown", "reboot", "halt", "poweroff") and
     not process.name : "*.exe" and
     host.os.type : ("linux", "macos"))
    or
    (process.name : "systemctl" and
     process.args : ("poweroff", "reboot", "halt", "shutdown") and
     host.os.type : ("linux", "macos"))
  )
]

// Standalone alert for high-risk single events
process where event.type == "start" and
(
  (
    process.name : "shutdown.exe" and
    process.args : ("/s", "/r", "-s", "-r") and
    (
      process.args : ("/t", "-t") or
      process.args : ("/f", "-f") or
      process.parent.name : ("cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe",
                              "cscript.exe", "mshta.exe", "regsvr32.exe",
                              "rundll32.exe", "msiexec.exe")
    )
  )
  or
  (
    process.name : ("powershell.exe", "pwsh.exe") and
    process.command_line : ("*ExitWindowsEx*", "*InitiateSystemShutdown*",
                            "*NtRaiseHardError*", "*ZwRaiseHardError*",
                            "*EWX_SHUTDOWN*", "*EWX_REBOOT*", "*OptionShutdownSystem*")
  )
)

Detects T1529 System Shutdown/Reboot abuse across Windows, Linux, and macOS. Covers three branches: (1) shutdown.exe with suspicious flags or parent processes, (2) PowerShell Windows API abuse (ExitWindowsEx, NtRaiseHardError, ZwRaiseHardError) commonly seen in destructive malware like WhisperGate and LockerGoga, and (3) native Linux/macOS shutdown utilities invoked with force or immediate flags.

high severity high confidence

Data Sources

Elastic Endpoint Winlogbeat with Sysmon Auditbeat (Linux/macOS)

Required Tables

logs-endpoint.events.process-* winlogbeat-* auditbeat-*

False Positives

Legitimate scheduled maintenance scripts that invoke shutdown.exe or systemctl poweroff during approved maintenance windows
IT administrators performing remote shutdowns via SCCM, Ansible, or similar orchestration tools that spawn shutdown.exe from cmd.exe or PowerShell
Software installers or update mechanisms (e.g., Windows Update, patch management agents) that require reboots and invoke shutdown.exe from msiexec.exe

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  username,
  "Process Name" AS process_name,
  "Command" AS command_line,
  "Parent Process Name" AS parent_process,
  CATEGORYNAME(category) AS event_category,
  LOGSOURCETYPENAME(logsourcetypeid) AS log_source_type,
  CASE
    WHEN LOWER("Process Name") LIKE '%shutdown.exe%' THEN 1
    ELSE 0
  END +
  CASE
    WHEN LOWER("Command") LIKE '%exitwindowsex%'
      OR LOWER("Command") LIKE '%initiatesystemshutdown%'
      OR LOWER("Command") LIKE '%ntraiseharderror%'
      OR LOWER("Command") LIKE '%zwraiseharderror%'
      OR LOWER("Command") LIKE '%ewx_shutdown%'
      OR LOWER("Command") LIKE '%ewx_reboot%'
      OR LOWER("Command") LIKE '%optionshutdownsystem%' THEN 4
    ELSE 0
  END +
  CASE
    WHEN LOWER("Command") LIKE '%/t 0%' OR LOWER("Command") LIKE '%-t 0%'
      OR LOWER("Command") LIKE '%now%' THEN 1
    ELSE 0
  END +
  CASE
    WHEN LOWER("Command") LIKE '%/f%' OR LOWER("Command") LIKE '%-f %'
      OR LOWER("Command") LIKE '%--force%' THEN 1
    ELSE 0
  END +
  CASE
    WHEN LOWER("Parent Process Name") LIKE '%cmd.exe%'
      OR LOWER("Parent Process Name") LIKE '%powershell.exe%'
      OR LOWER("Parent Process Name") LIKE '%pwsh.exe%'
      OR LOWER("Parent Process Name") LIKE '%wscript.exe%'
      OR LOWER("Parent Process Name") LIKE '%cscript.exe%'
      OR LOWER("Parent Process Name") LIKE '%mshta.exe%'
      OR LOWER("Parent Process Name") LIKE '%regsvr32.exe%'
      OR LOWER("Parent Process Name") LIKE '%rundll32.exe%'
      OR LOWER("Parent Process Name") LIKE '%msiexec.exe%' THEN 2
    ELSE 0
  END AS risk_score
FROM events
WHERE
  LOGSOURCETYPEID IN (
    SELECT id FROM logsourcetypes WHERE name LIKE '%Sysmon%'
       OR name LIKE '%Windows%Security%'
       OR name LIKE '%Audit%'
  )
  AND starttime > (NOW() - 86400000)
  AND (
    (
      LOWER("Process Name") LIKE '%shutdown.exe%'
      AND (
        LOWER("Command") LIKE '%/s%' OR LOWER("Command") LIKE '%/r%'
        OR LOWER("Command") LIKE '%-s %' OR LOWER("Command") LIKE '%-r %'
      )
    )
    OR (
      (LOWER("Process Name") LIKE '%powershell.exe%' OR LOWER("Process Name") LIKE '%pwsh.exe%')
      AND (
        LOWER("Command") LIKE '%exitwindowsex%'
        OR LOWER("Command") LIKE '%initiatesystemshutdown%'
        OR LOWER("Command") LIKE '%ntraiseharderror%'
        OR LOWER("Command") LIKE '%zwraiseharderror%'
        OR LOWER("Command") LIKE '%ewx_shutdown%'
        OR LOWER("Command") LIKE '%ewx_reboot%'
        OR LOWER("Command") LIKE '%optionshutdownsystem%'
        OR LOWER("Command") LIKE '%seshutdownprivilege%'
      )
    )
    OR (
      (
        LOWER("Process Name") LIKE '%/shutdown'
        OR LOWER("Process Name") LIKE '%/reboot'
        OR LOWER("Process Name") LIKE '%/halt'
        OR LOWER("Process Name") LIKE '%/poweroff'
      )
      AND LOWER("Process Name") NOT LIKE '%.exe'
    )
    OR (
      LOWER("Process Name") LIKE '%systemctl%'
      AND (
        LOWER("Command") LIKE '%poweroff%'
        OR LOWER("Command") LIKE '%reboot%'
        OR LOWER("Command") LIKE '%halt%'
      )
    )
  )
HAVING risk_score >= 1
ORDER BY risk_score DESC, event_time DESC

Detects T1529 System Shutdown/Reboot activity via QRadar AQL by correlating process execution events across Windows Sysmon and Security logs. Covers shutdown.exe abuse, PowerShell Windows API invocations (ExitWindowsEx, NtRaiseHardError, ZwRaiseHardError), and Linux/macOS native shutdown utilities. Risk scoring mirrors the KQL/SPL approach with weighted scoring for API abuse and suspicious parent processes.

high severity medium confidence

Data Sources

IBM QRadar Windows Sysmon via DSM Windows Security Event Log via DSM Linux syslog via DSM

Required Tables

events

False Positives

Scheduled patch management reboots triggered by SCCM, WSUS, or similar enterprise tools that invoke shutdown.exe from authorized parent processes
Linux cron-based maintenance scripts that call 'systemctl reboot' or 'shutdown -r now' during approved maintenance windows
Security testing or red team exercises that exercise shutdown API calls in isolated lab environments logged to production QRadar

Sumo Logic CSE

sql

(_sourceCategory="os/windows/sysmon" OR _sourceCategory="os/linux/syslog" OR _sourceCategory="os/macos/audit")
| where EventID = 1 OR EventID = "1" OR _sourceCategory matches "*linux*" OR _sourceCategory matches "*macos*"
| parse field=CommandLine "*" as cmd_line nodrop
| parse field=Image "*" as image_path nodrop
| parse field=ParentImage "*" as parent_image nodrop
| where (
    (image_path matches "*\\shutdown.exe" and (
      cmd_line matches "*/s *" or cmd_line matches "*/r *" or
      cmd_line matches "*-s *" or cmd_line matches "*-r *" or
      cmd_line = "*/s" or cmd_line = "*/r"
    ))
    or (
      (image_path matches "*\\powershell.exe" or image_path matches "*\\pwsh.exe") and (
        cmd_line matches "*ExitWindowsEx*" or cmd_line matches "*InitiateSystemShutdown*" or
        cmd_line matches "*NtRaiseHardError*" or cmd_line matches "*ZwRaiseHardError*" or
        cmd_line matches "*EWX_SHUTDOWN*" or cmd_line matches "*EWX_REBOOT*" or
        cmd_line matches "*EWX_POWEROFF*" or cmd_line matches "*OptionShutdownSystem*" or
        cmd_line matches "*SeShutdownPrivilege*"
      )
    )
    or (
      (image_path matches "*/shutdown" or image_path matches "*/reboot" or
       image_path matches "*/halt" or image_path matches "*/poweroff")
      and not image_path matches "*.exe"
    )
    or (
      image_path matches "*/systemctl" and (
        cmd_line matches "*poweroff*" or cmd_line matches "*reboot*" or
        cmd_line matches "*halt*" or cmd_line matches "*shutdown*"
      )
    )
  )
| eval is_windows_shutdown = if(image_path matches "*\\shutdown.exe", 1, 0)
| eval is_powershell_api = if(
    (image_path matches "*\\powershell.exe" or image_path matches "*\\pwsh.exe") and
    (cmd_line matches "*ExitWindowsEx*" or cmd_line matches "*InitiateSystemShutdown*" or
     cmd_line matches "*NtRaiseHardError*" or cmd_line matches "*ZwRaiseHardError*" or
     cmd_line matches "*EWX_SHUTDOWN*" or cmd_line matches "*EWX_REBOOT*" or
     cmd_line matches "*OptionShutdownSystem*"),
    1, 0)
| eval is_linux_mac_shutdown = if(
    (image_path matches "*/shutdown" or image_path matches "*/reboot" or
     image_path matches "*/halt" or image_path matches "*/poweroff" or
     image_path matches "*/systemctl")
    and not image_path matches "*.exe",
    1, 0)
| eval immediate_shutdown = if(
    cmd_line matches "*/t 0*" or cmd_line matches "*-t 0*" or
    cmd_line matches "* now*" or cmd_line matches "*+0*",
    1, 0)
| eval forced_shutdown = if(
    cmd_line matches "*/f *" or cmd_line matches "*-f *" or
    cmd_line matches "*--force*",
    1, 0)
| eval remote_shutdown = if(cmd_line matches "*/m *" or cmd_line matches "*/m\\\\*", 1, 0)
| eval suspicious_parent = if(
    parent_image matches "*\\cmd.exe" or parent_image matches "*\\powershell.exe" or
    parent_image matches "*\\pwsh.exe" or parent_image matches "*\\wscript.exe" or
    parent_image matches "*\\cscript.exe" or parent_image matches "*\\mshta.exe" or
    parent_image matches "*\\regsvr32.exe" or parent_image matches "*\\rundll32.exe" or
    parent_image matches "*\\msiexec.exe",
    1, 0)
| eval risk_score = is_windows_shutdown + (is_powershell_api * 4) + immediate_shutdown +
                    forced_shutdown + (suspicious_parent * 2) + remote_shutdown
| where risk_score >= 1
| fields _messageTime, Computer, User, image_path, cmd_line, parent_image,
         is_windows_shutdown, is_powershell_api, is_linux_mac_shutdown,
         immediate_shutdown, forced_shutdown, remote_shutdown, suspicious_parent, risk_score
| sort by risk_score desc, _messageTime desc

Detects T1529 System Shutdown/Reboot activity via Sumo Logic by parsing Sysmon EventID 1 (Process Create) and equivalent Linux/macOS process audit events. Applies the same risk scoring model as the KQL/SPL detections: PowerShell Windows API abuse scores highest (4 points), suspicious parent processes score 2 points, and immediate/forced/remote flags each add 1 point. Minimum threshold of risk_score >= 1 ensures broad coverage while suppressing noise.

high severity medium confidence

Data Sources

Sumo Logic Installed Collector (Windows Sysmon) Sumo Logic Installed Collector (Linux syslog/auditd) Sumo Logic Installed Collector (macOS audit)

Required Tables

_sourceCategory=os/windows/sysmon _sourceCategory=os/linux/syslog _sourceCategory=os/macos/audit

False Positives

Automated patch management systems (SCCM, Ansible, Chef, Puppet) that invoke shutdown or reboot commands as part of approved maintenance tasks
Container orchestration or cloud automation (Kubernetes, Terraform, AWS SSM Run Command) that sends reboot signals through legitimate administrative channels
Developers testing shutdown/reboot handling in staging environments where Sysmon or audit logging is enabled and forwarded to production Sumo Logic

Google Chronicle / SecOps

yaral

rule t1529_system_shutdown_reboot {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1529 System Shutdown/Reboot abuse including shutdown.exe with suspicious flags, PowerShell Windows API abuse (ExitWindowsEx, NtRaiseHardError, ZwRaiseHardError), and Linux/macOS native shutdown utilities. Covers destructive malware patterns from WhisperGate, LockerGoga, Olympic Destroyer, and BFG Agonizer."
    mitre_attack_tactic = "Impact"
    mitre_attack_technique = "T1529"
    severity = "HIGH"
    priority = "HIGH"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.target.process.file.full_path != ""

    (
      // Branch 1: Windows shutdown.exe with shutdown/reboot flags
      (
        re.regex($e.target.process.file.full_path, `(?i)(\\|/)shutdown\.exe$`) and
        (
          re.regex($e.target.process.command_line, `(?i)(/s|/r|-s\s|-r\s)`) and
          re.regex($e.target.process.command_line, `(?i)(/t\s*0|-t\s*0|/f|-f\s|/m\s|/m\\\\|\bnow\b)`)
        )
      )
      or
      // Branch 2: Windows shutdown.exe from suspicious parent
      (
        re.regex($e.target.process.file.full_path, `(?i)(\\|/)shutdown\.exe$`) and
        re.regex($e.target.process.command_line, `(?i)(/s|/r|-s\s|-r\s)`) and
        re.regex($e.principal.process.file.full_path,
          `(?i)(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|regsvr32\.exe|rundll32\.exe|msiexec\.exe)$`)
      )
      or
      // Branch 3: PowerShell Windows API abuse
      (
        re.regex($e.target.process.file.full_path, `(?i)(\\|/)(powershell|pwsh)\.exe$`) and
        re.regex($e.target.process.command_line,
          `(?i)(ExitWindowsEx|InitiateSystemShutdown|InitiateSystemShutdownExW|NtRaiseHardError|ZwRaiseHardError|EWX_SHUTDOWN|EWX_REBOOT|EWX_POWEROFF|OptionShutdownSystem|SeShutdownPrivilege)`)
      )
      or
      // Branch 4: Linux/macOS native shutdown utilities
      (
        re.regex($e.target.process.file.full_path, `(^|/)( shutdown|reboot|halt|poweroff)$`) and
        not re.regex($e.target.process.file.full_path, `\.exe$`) and
        (
          $e.principal.asset.platform_software.platform_version = "LINUX" or
          $e.principal.asset.platform_software.platform_version = "MAC"
        )
      )
      or
      // Branch 5: systemctl with destructive subcommands
      (
        re.regex($e.target.process.file.full_path, `(^|/)systemctl$`) and
        re.regex($e.target.process.command_line, `(?i)(poweroff|reboot|halt|shutdown)`) and
        not re.regex($e.target.process.file.full_path, `\.exe$`)
      )
    )

  condition:
    $e
}

Chronicle YARA-L 2.0 rule detecting T1529 System Shutdown/Reboot abuse across Windows, Linux, and macOS endpoints. Five detection branches cover: shutdown.exe with immediate/forced/remote flags, shutdown.exe spawned from suspicious LOLBin parents (cmd, wscript, mshta, etc.), PowerShell invoking Windows API shutdown functions (ExitWindowsEx, NtRaiseHardError, ZwRaiseHardError) as seen in destructive malware, and Linux/macOS native shutdown utilities including systemctl.

high severity high confidence

Data Sources

Chronicle UDM (Google Security Operations) Endpoint telemetry via Chronicle forwarder Windows Sysmon via Chronicle ingestion Linux/macOS audit logs via Chronicle forwarder

Required Tables

UDM Events (PROCESS_LAUNCH)

False Positives

Enterprise endpoint management tools (Microsoft Endpoint Configuration Manager, Jamf, Intune) that issue scheduled shutdowns and reboots via PowerShell or system utilities with /f or /t 0 flags
Linux infrastructure automation using Ansible or SaltStack that calls 'systemctl reboot' or 'shutdown -h now' as part of rolling update pipelines
Cloud instance lifecycle hooks that invoke shutdown commands when auto-scaling groups terminate instances, generating shutdown process events on ephemeral hosts

CrowdStrike LogScale (CQL)

cql

// T1529 System Shutdown/Reboot Detection
// Branch 1: Windows shutdown.exe abuse
#event_simpleName=ProcessRollup2
| FileName = /(?i)^shutdown\.exe$/
| CommandLine = /(?i)(\/s|\/r|-s\s|-r\s|-s$|-r$)/
| case {
    CommandLine = /(?i)(/t\s*0|-t\s*0)/: ImmediateShutdown := "true";
    * : ImmediateShutdown := "false"
  }
| case {
    CommandLine = /(?i)(/f\s|-f\s|--force)/: ForcedShutdown := "true";
    * : ForcedShutdown := "false"
  }
| case {
    CommandLine = /(?i)(/m\s|/m\\\\)/: RemoteShutdown := "true";
    * : RemoteShutdown := "false"
  }
| case {
    ParentBaseFileName = /(?i)(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|regsvr32\.exe|rundll32\.exe|msiexec\.exe)/: SuspiciousParent := "true";
    * : SuspiciousParent := "false"
  }
| RiskScore := 1
| RiskScore := if(ImmediateShutdown = "true", RiskScore + 1, RiskScore)
| RiskScore := if(ForcedShutdown = "true", RiskScore + 1, RiskScore)
| RiskScore := if(RemoteShutdown = "true", RiskScore + 1, RiskScore)
| RiskScore := if(SuspiciousParent = "true", RiskScore + 2, RiskScore)
| DetectionBranch := "WindowsShutdownExe"
| select([@timestamp, ComputerName, UserName, FileName, CommandLine,
          ParentBaseFileName, ImmediateShutdown, ForcedShutdown,
          RemoteShutdown, SuspiciousParent, RiskScore, DetectionBranch])

// Branch 2: PowerShell Windows API abuse
| union [
  #event_simpleName=ProcessRollup2
  | FileName = /(?i)^(powershell|pwsh)\.exe$/
  | CommandLine = /(?i)(ExitWindowsEx|InitiateSystemShutdown|InitiateSystemShutdownExW|NtRaiseHardError|ZwRaiseHardError|EWX_SHUTDOWN|EWX_REBOOT|EWX_POWEROFF|OptionShutdownSystem|SeShutdownPrivilege)/
  | ImmediateShutdown := "true"
  | ForcedShutdown := "true"
  | RemoteShutdown := "false"
  | SuspiciousParent := "true"
  | RiskScore := 4
  | DetectionBranch := "PowerShellAPIAbuse"
  | select([@timestamp, ComputerName, UserName, FileName, CommandLine,
            ParentBaseFileName, ImmediateShutdown, ForcedShutdown,
            RemoteShutdown, SuspiciousParent, RiskScore, DetectionBranch])
]

// Branch 3: Linux/macOS shutdown utilities
| union [
  #event_simpleName=ProcessRollup2
  | FileName = /^(shutdown|reboot|halt|poweroff|systemctl)$/
  | FileName != /\.exe$/
  | case {
      FileName = "systemctl": CommandLine = /(?i)(poweroff|reboot|halt|shutdown)/;
      * : true
    }
  | case {
      CommandLine = /(-t\s*0|\bnow\b|\+0)/: ImmediateShutdown := "true";
      * : ImmediateShutdown := "false"
    }
  | case {
      CommandLine = /(-f\s|--force)/: ForcedShutdown := "true";
      * : ForcedShutdown := "false"
    }
  | RemoteShutdown := "false"
  | case {
      ParentBaseFileName = /(?i)(bash|sh|python|perl|ruby|php|node)/: SuspiciousParent := "true";
      * : SuspiciousParent := "false"
    }
  | RiskScore := 1
  | RiskScore := if(ImmediateShutdown = "true", RiskScore + 1, RiskScore)
  | RiskScore := if(ForcedShutdown = "true", RiskScore + 1, RiskScore)
  | RiskScore := if(SuspiciousParent = "true", RiskScore + 2, RiskScore)
  | DetectionBranch := "LinuxMacShutdown"
  | select([@timestamp, ComputerName, UserName, FileName, CommandLine,
            ParentBaseFileName, ImmediateShutdown, ForcedShutdown,
            RemoteShutdown, SuspiciousParent, RiskScore, DetectionBranch])
]

| where RiskScore >= 1
| sort(RiskScore, order=desc)
| sort(@timestamp, order=desc)

CrowdStrike LogScale (CQL) detection for T1529 System Shutdown/Reboot using Falcon ProcessRollup2 telemetry. Three unioned branches detect: (1) shutdown.exe invocations with shutdown/reboot flags, risk-scored by immediate, forced, and remote options plus suspicious parent processes; (2) PowerShell/pwsh invoking Windows API functions used by destructive malware (ExitWindowsEx, NtRaiseHardError, ZwRaiseHardError, EWX_SHUTDOWN); and (3) Linux/macOS native shutdown utilities (shutdown, reboot, halt, poweroff, systemctl) with suspicious interpreter parents. Events with risk_score >= 1 are surfaced, sorted by score descending.

high severity high confidence

Data Sources

CrowdStrike Falcon EDR Falcon ProcessRollup2 events Falcon for Linux/macOS endpoints

Required Tables

ProcessRollup2 (#event_simpleName=ProcessRollup2)

False Positives

Falcon Real Time Response (RTR) sessions where administrators issue shutdown or reboot commands to remote hosts through the Falcon console, generating ProcessRollup2 events for shutdown.exe
Automated CI/CD pipeline agents (Jenkins, GitLab Runner, GitHub Actions self-hosted) that trigger system reboots after kernel updates or configuration changes via scripts spawning shutdown utilities
Endpoint compliance enforcement tools that detect and remediate drift by rebooting systems to apply group policy or configuration changes, typically spawning shutdown.exe from msiexec.exe or a management agent

Sigma rule & cross-platform mapping

The detection logic for System Shutdown/Reboot (T1529) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource:

logsource:
  category: process_creation
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for T1529 Sigma rules on detection.fyi

Platform-specific guides for T1529

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)

Last updated: 2026-04-20 Research depth: deep

References (12)

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Windows Shutdown Scheduled and Aborted (Safe Telemetry Test)
Expected signal: Sysmon Event ID 1: Process Create for shutdown.exe with CommandLine containing '/s /t 300 /c df00tech-detection-test'. System Event Log Event ID 1074 recording the initiated shutdown with process name and user SID. Second Sysmon Event ID 1 for shutdown.exe /a (abort, generates its own process creation event). Security Event ID 4688 for both executions if process auditing is enabled.
Test 2Forced Immediate Reboot — Wiper Simulation (Lab VM Only)
Expected signal: Sysmon Event ID 1 (captured before reboot): Image=C:\Windows\System32\shutdown.exe, CommandLine='shutdown.exe /r /f /t 0'. System Event Log Event ID 1074 recorded immediately. Security Event ID 4688 if auditing enabled. After reboot: System Event Log Event ID 6006 (clean shutdown). Prefetch file SHUTDOWN.EXE-*.pf updated.
Test 3PowerShell ExitWindowsEx API Reference (Safe — No Actual Shutdown)
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'ExitWindowsEx'. PowerShell ScriptBlock Log Event ID 4104 in Microsoft-Windows-PowerShell/Operational showing the DllImport declaration. No actual shutdown occurs — P/Invoke signature is defined but the method is never invoked.
Test 4Linux Shutdown Scheduled and Cancelled (Safe Telemetry Test)
Expected signal: Auditd EXECVE syscall record or Sysmon for Linux Event ID 1: execution of shutdown with arguments '-h +15 df00tech-detection-test'. Broadcast message to all logged-in users via wall. Second execution record for shutdown -c with cancellation message. /var/log/syslog or journald entries for both the scheduled shutdown and cancellation. sudo pam_unix authentication log entries.

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1529 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

System Shutdown/Reboot

What is T1529 System Shutdown/Reboot?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1529

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Tactic Hub

Related Techniques

Same Tactic: Impact

Popular Detections

What is T1529 System Shutdown/Reboot?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1529

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hub

Related Techniques

Same Tactic: Impact

Popular Detections

Get new detections in your inbox