T1529

System Shutdown/Reboot

Adversaries may shutdown or reboot systems to interrupt access to, or aid in the destruction of, those systems. Shutdown and reboot commands exist across all major operating systems and may be invoked locally or remotely. Adversaries commonly pair T1529 with destructive techniques such as disk wiping (T1561) or inhibiting system recovery (T1490) to force destructive effects to take hold after reboot renders the system unbootable. Windows API functions including ExitWindowsEx, InitiateSystemShutdown, NtRaiseHardError, and ZwRaiseHardError are abused to programmatically force shutdowns or trigger blue screens of death (BSOD). Observed extensively in destructive malware: LockerGoga, Olympic Destroyer, WhisperGate (ExitWindowsEx with EWX_SHUTDOWN), AcidRain, AcidPour, Apostle, DCSrv, MultiLayer Wiper, BFG Agonizer (NtRaiseHardError BSOD), and Qilin ransomware targeting backup servers.

Microsoft Sentinel / Defender

kusto

let SuspiciousParents = dynamic(["cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "mshta.exe", "regsvr32.exe", "rundll32.exe", "msiexec.exe"]);
// Branch 1: Windows shutdown.exe
let WindowsShutdown = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "shutdown.exe"
| where ProcessCommandLine has_any ("/s", "/r", "-s", "-r")
| extend ImmediateShutdown = ProcessCommandLine has "/t 0" or ProcessCommandLine has "-t 0"
| extend ForcedShutdown = ProcessCommandLine has "/f" or ProcessCommandLine has "-f"
| extend RemoteShutdown = ProcessCommandLine has "/m"
| extend SuspiciousParent = InitiatingProcessFileName in~ (SuspiciousParents)
| extend RiskScore = toint(ImmediateShutdown) + toint(ForcedShutdown) + toint(SuspiciousParent) * 2
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         ImmediateShutdown, ForcedShutdown, RemoteShutdown, SuspiciousParent, RiskScore,
         DetectionBranch="WindowsShutdownExe";
// Branch 2: PowerShell Windows API abuse (ExitWindowsEx, NtRaiseHardError)
let PowerShellAPIAbuse = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has_any (
    "ExitWindowsEx", "InitiateSystemShutdown", "InitializeSystemShutdownExW",
    "NtRaiseHardError", "ZwRaiseHardError",
    "EWX_SHUTDOWN", "EWX_REBOOT", "EWX_POWEROFF",
    "OptionShutdownSystem", "SeShutdownPrivilege"
  )
| extend ImmediateShutdown = true
| extend ForcedShutdown = true
| extend RemoteShutdown = false
| extend SuspiciousParent = true
| extend RiskScore = 4
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         ImmediateShutdown, ForcedShutdown, RemoteShutdown, SuspiciousParent, RiskScore,
         DetectionBranch="PowerShellAPIAbuse";
// Branch 3: Linux/macOS shutdown utilities
let LinuxMacShutdown = DeviceProcessEvents
| where Timestamp > ago(24h)
| where (
    (FileName in~ ("shutdown", "reboot", "halt", "poweroff"))
    or (FileName =~ "systemctl" and ProcessCommandLine has_any ("poweroff", "reboot", "halt", "shutdown"))
    or (FileName =~ "init" and ProcessCommandLine matches regex @"\s[06]$")
  )
| where DeviceOSPlatform in~ ("Linux", "macOS")
| extend ImmediateShutdown = ProcessCommandLine has_any ("-t 0", "now", "+0")
| extend ForcedShutdown = ProcessCommandLine has_any ("-f", "--force")
| extend RemoteShutdown = false
| extend SuspiciousParent = InitiatingProcessFileName in~ (SuspiciousParents)
| extend RiskScore = toint(ImmediateShutdown) + toint(ForcedShutdown) + toint(SuspiciousParent) * 2
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         ImmediateShutdown, ForcedShutdown, RemoteShutdown, SuspiciousParent, RiskScore,
         DetectionBranch="LinuxMacShutdown";
WindowsShutdown
| union PowerShellAPIAbuse
| union LinuxMacShutdown
| where RiskScore >= 1
| sort by RiskScore desc, Timestamp desc

high severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

System administrators performing scheduled maintenance reboots via RMM agents (ConnectWise Control, Kaseya VSA, TeamViewer) — these typically spawn from the RMM agent process, not scripting hosts
Windows Update process initiating reboots after patch installation — typically initiated by TrustedInstaller or svchost.exe with wuauserv service tag, with long /t timeout values
Configuration management and patch automation platforms (Ansible WinRM, SCCM, Intune) executing shutdown commands as part of deployment or patch cycles — usually from known service accounts at scheduled times
Hypervisor guest agents (VMware Tools vmtoolsd.exe, VirtualBox additions) performing coordinated shutdown during snapshot or migration operations
Legitimate helpdesk personnel remotely rebooting endpoints via shutdown /m after troubleshooting sessions — identifiable by the /r flag (reboot, not shutdown) and corresponding helpdesk ticket

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
(
  (Image="*\\shutdown.exe" AND (CommandLine="*/s *" OR CommandLine="*/r *" OR CommandLine="*-s *" OR CommandLine="*-r *" OR CommandLine="*/s" OR CommandLine="*/r"))
  OR ((Image="*\\powershell.exe" OR Image="*\\pwsh.exe")
      AND (CommandLine="*ExitWindowsEx*" OR CommandLine="*InitiateSystemShutdown*" OR CommandLine="*NtRaiseHardError*"
           OR CommandLine="*ZwRaiseHardError*" OR CommandLine="*EWX_SHUTDOWN*" OR CommandLine="*EWX_REBOOT*"
           OR CommandLine="*OptionShutdownSystem*" OR CommandLine="*SeShutdownPrivilege*"))
  OR (match(Image, "/(shutdown|reboot|halt|poweroff)$") AND NOT match(Image, "\.exe$"))
  OR (Image="*/systemctl" AND (CommandLine="*poweroff*" OR CommandLine="*reboot*" OR CommandLine="*halt*"))
)
| eval IsWindowsShutdownExe=if(match(Image, "\\\\shutdown\.exe$"), 1, 0)
| eval IsPowerShellAPI=if(match(lower(CommandLine), "(exitwindowsex|initiatesystemshutdown|initializesystemshutdownexw|ntraiseharderror|zwraiseharderror|ewx_shutdown|ewx_reboot|ewx_poweroff|optionshutdownsystem|seshutdownprivilege)"), 1, 0)
| eval IsLinuxMacShutdown=if(match(Image, "/(shutdown|reboot|halt|poweroff|systemctl)$") AND NOT match(Image, "\.exe"), 1, 0)
| eval ImmediateShutdown=if(match(CommandLine, "(/t\s*0|-t\s*0|\bnow\b|\+0)"), 1, 0)
| eval ForcedShutdown=if(match(CommandLine, "(/f[\s"]|-f[\s"]|--force)"), 1, 0)
| eval RemoteShutdown=if(match(CommandLine, "(/m\s|/m\\\\)"), 1, 0)
| eval SuspiciousParent=if(match(ParentImage, "(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|regsvr32\.exe|rundll32\.exe|msiexec\.exe)"), 1, 0)
| eval RiskScore=IsWindowsShutdownExe + (IsPowerShellAPI * 4) + ImmediateShutdown + ForcedShutdown + (SuspiciousParent * 2) + RemoteShutdown
| where RiskScore >= 1
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine,
        IsWindowsShutdownExe, IsPowerShellAPI, IsLinuxMacShutdown,
        ImmediateShutdown, ForcedShutdown, RemoteShutdown, SuspiciousParent, RiskScore
| sort - RiskScore - _time

high severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

System administrators performing scheduled maintenance reboots via RMM agents — identifiable by known RMM agent parent processes (ConnectWise, Kaseya, TeamViewer) at expected maintenance windows
Windows Update reboots — parent process is typically TrustedInstaller or svchost.exe with long timeout values and predictable scheduling
Configuration management platforms (Ansible, SCCM, Intune) executing shutdown commands during patch cycles — known service accounts at scheduled times
Hypervisor guest agents performing coordinated shutdown during snapshot or live migration operations
Legitimate helpdesk remote reboot sessions — correlate with ticketing system records and RMM session logs

Elastic Security (EQL)

eql

sequence by host.name with maxspan=5m
[
  any where event.category == "process" and event.type == "start" and
  (
    (process.name : "shutdown.exe" and process.args : ("/s", "/r", "-s", "-r"))
    or
    (process.name : ("powershell.exe", "pwsh.exe") and
     process.args : ("ExitWindowsEx", "InitiateSystemShutdown", "InitiateSystemShutdownExW",
                     "NtRaiseHardError", "ZwRaiseHardError",
                     "EWX_SHUTDOWN", "EWX_REBOOT", "EWX_POWEROFF",
                     "OptionShutdownSystem", "SeShutdownPrivilege"))
    or
    (process.name : ("shutdown", "reboot", "halt", "poweroff") and
     not process.name : "*.exe" and
     host.os.type : ("linux", "macos"))
    or
    (process.name : "systemctl" and
     process.args : ("poweroff", "reboot", "halt", "shutdown") and
     host.os.type : ("linux", "macos"))
  )
]

// Standalone alert for high-risk single events
process where event.type == "start" and
(
  (
    process.name : "shutdown.exe" and
    process.args : ("/s", "/r", "-s", "-r") and
    (
      process.args : ("/t", "-t") or
      process.args : ("/f", "-f") or
      process.parent.name : ("cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe",
                              "cscript.exe", "mshta.exe", "regsvr32.exe",
                              "rundll32.exe", "msiexec.exe")
    )
  )
  or
  (
    process.name : ("powershell.exe", "pwsh.exe") and
    process.command_line : ("*ExitWindowsEx*", "*InitiateSystemShutdown*",
                            "*NtRaiseHardError*", "*ZwRaiseHardError*",
                            "*EWX_SHUTDOWN*", "*EWX_REBOOT*", "*OptionShutdownSystem*")
  )
)

high severity high confidence

Data Sources

Elastic Endpoint Winlogbeat with Sysmon Auditbeat (Linux/macOS)

Required Tables

logs-endpoint.events.process-* winlogbeat-* auditbeat-*

False Positives

Legitimate scheduled maintenance scripts that invoke shutdown.exe or systemctl poweroff during approved maintenance windows
IT administrators performing remote shutdowns via SCCM, Ansible, or similar orchestration tools that spawn shutdown.exe from cmd.exe or PowerShell
Software installers or update mechanisms (e.g., Windows Update, patch management agents) that require reboots and invoke shutdown.exe from msiexec.exe

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  username,
  "Process Name" AS process_name,
  "Command" AS command_line,
  "Parent Process Name" AS parent_process,
  CATEGORYNAME(category) AS event_category,
  LOGSOURCETYPENAME(logsourcetypeid) AS log_source_type,
  CASE
    WHEN LOWER("Process Name") LIKE '%shutdown.exe%' THEN 1
    ELSE 0
  END +
  CASE
    WHEN LOWER("Command") LIKE '%exitwindowsex%'
      OR LOWER("Command") LIKE '%initiatesystemshutdown%'
      OR LOWER("Command") LIKE '%ntraiseharderror%'
      OR LOWER("Command") LIKE '%zwraiseharderror%'
      OR LOWER("Command") LIKE '%ewx_shutdown%'
      OR LOWER("Command") LIKE '%ewx_reboot%'
      OR LOWER("Command") LIKE '%optionshutdownsystem%' THEN 4
    ELSE 0
  END +
  CASE
    WHEN LOWER("Command") LIKE '%/t 0%' OR LOWER("Command") LIKE '%-t 0%'
      OR LOWER("Command") LIKE '%now%' THEN 1
    ELSE 0
  END +
  CASE
    WHEN LOWER("Command") LIKE '%/f%' OR LOWER("Command") LIKE '%-f %'
      OR LOWER("Command") LIKE '%--force%' THEN 1
    ELSE 0
  END +
  CASE
    WHEN LOWER("Parent Process Name") LIKE '%cmd.exe%'
      OR LOWER("Parent Process Name") LIKE '%powershell.exe%'
      OR LOWER("Parent Process Name") LIKE '%pwsh.exe%'
      OR LOWER("Parent Process Name") LIKE '%wscript.exe%'
      OR LOWER("Parent Process Name") LIKE '%cscript.exe%'
      OR LOWER("Parent Process Name") LIKE '%mshta.exe%'
      OR LOWER("Parent Process Name") LIKE '%regsvr32.exe%'
      OR LOWER("Parent Process Name") LIKE '%rundll32.exe%'
      OR LOWER("Parent Process Name") LIKE '%msiexec.exe%' THEN 2
    ELSE 0
  END AS risk_score
FROM events
WHERE
  LOGSOURCETYPEID IN (
    SELECT id FROM logsourcetypes WHERE name LIKE '%Sysmon%'
       OR name LIKE '%Windows%Security%'
       OR name LIKE '%Audit%'
  )
  AND starttime > (NOW() - 86400000)
  AND (
    (
      LOWER("Process Name") LIKE '%shutdown.exe%'
      AND (
        LOWER("Command") LIKE '%/s%' OR LOWER("Command") LIKE '%/r%'
        OR LOWER("Command") LIKE '%-s %' OR LOWER("Command") LIKE '%-r %'
      )
    )
    OR (
      (LOWER("Process Name") LIKE '%powershell.exe%' OR LOWER("Process Name") LIKE '%pwsh.exe%')
      AND (
        LOWER("Command") LIKE '%exitwindowsex%'
        OR LOWER("Command") LIKE '%initiatesystemshutdown%'
        OR LOWER("Command") LIKE '%ntraiseharderror%'
        OR LOWER("Command") LIKE '%zwraiseharderror%'
        OR LOWER("Command") LIKE '%ewx_shutdown%'
        OR LOWER("Command") LIKE '%ewx_reboot%'
        OR LOWER("Command") LIKE '%optionshutdownsystem%'
        OR LOWER("Command") LIKE '%seshutdownprivilege%'
      )
    )
    OR (
      (
        LOWER("Process Name") LIKE '%/shutdown'
        OR LOWER("Process Name") LIKE '%/reboot'
        OR LOWER("Process Name") LIKE '%/halt'
        OR LOWER("Process Name") LIKE '%/poweroff'
      )
      AND LOWER("Process Name") NOT LIKE '%.exe'
    )
    OR (
      LOWER("Process Name") LIKE '%systemctl%'
      AND (
        LOWER("Command") LIKE '%poweroff%'
        OR LOWER("Command") LIKE '%reboot%'
        OR LOWER("Command") LIKE '%halt%'
      )
    )
  )
HAVING risk_score >= 1
ORDER BY risk_score DESC, event_time DESC

high severity medium confidence

Data Sources

IBM QRadar Windows Sysmon via DSM Windows Security Event Log via DSM Linux syslog via DSM

Required Tables

events

False Positives

Scheduled patch management reboots triggered by SCCM, WSUS, or similar enterprise tools that invoke shutdown.exe from authorized parent processes
Linux cron-based maintenance scripts that call 'systemctl reboot' or 'shutdown -r now' during approved maintenance windows
Security testing or red team exercises that exercise shutdown API calls in isolated lab environments logged to production QRadar

Sumo Logic CSE

sql

(_sourceCategory="os/windows/sysmon" OR _sourceCategory="os/linux/syslog" OR _sourceCategory="os/macos/audit")
| where EventID = 1 OR EventID = "1" OR _sourceCategory matches "*linux*" OR _sourceCategory matches "*macos*"
| parse field=CommandLine "*" as cmd_line nodrop
| parse field=Image "*" as image_path nodrop
| parse field=ParentImage "*" as parent_image nodrop
| where (
    (image_path matches "*\\shutdown.exe" and (
      cmd_line matches "*/s *" or cmd_line matches "*/r *" or
      cmd_line matches "*-s *" or cmd_line matches "*-r *" or
      cmd_line = "*/s" or cmd_line = "*/r"
    ))
    or (
      (image_path matches "*\\powershell.exe" or image_path matches "*\\pwsh.exe") and (
        cmd_line matches "*ExitWindowsEx*" or cmd_line matches "*InitiateSystemShutdown*" or
        cmd_line matches "*NtRaiseHardError*" or cmd_line matches "*ZwRaiseHardError*" or
        cmd_line matches "*EWX_SHUTDOWN*" or cmd_line matches "*EWX_REBOOT*" or
        cmd_line matches "*EWX_POWEROFF*" or cmd_line matches "*OptionShutdownSystem*" or
        cmd_line matches "*SeShutdownPrivilege*"
      )
    )
    or (
      (image_path matches "*/shutdown" or image_path matches "*/reboot" or
       image_path matches "*/halt" or image_path matches "*/poweroff")
      and not image_path matches "*.exe"
    )
    or (
      image_path matches "*/systemctl" and (
        cmd_line matches "*poweroff*" or cmd_line matches "*reboot*" or
        cmd_line matches "*halt*" or cmd_line matches "*shutdown*"
      )
    )
  )
| eval is_windows_shutdown = if(image_path matches "*\\shutdown.exe", 1, 0)
| eval is_powershell_api = if(
    (image_path matches "*\\powershell.exe" or image_path matches "*\\pwsh.exe") and
    (cmd_line matches "*ExitWindowsEx*" or cmd_line matches "*InitiateSystemShutdown*" or
     cmd_line matches "*NtRaiseHardError*" or cmd_line matches "*ZwRaiseHardError*" or
     cmd_line matches "*EWX_SHUTDOWN*" or cmd_line matches "*EWX_REBOOT*" or
     cmd_line matches "*OptionShutdownSystem*"),
    1, 0)
| eval is_linux_mac_shutdown = if(
    (image_path matches "*/shutdown" or image_path matches "*/reboot" or
     image_path matches "*/halt" or image_path matches "*/poweroff" or
     image_path matches "*/systemctl")
    and not image_path matches "*.exe",
    1, 0)
| eval immediate_shutdown = if(
    cmd_line matches "*/t 0*" or cmd_line matches "*-t 0*" or
    cmd_line matches "* now*" or cmd_line matches "*+0*",
    1, 0)
| eval forced_shutdown = if(
    cmd_line matches "*/f *" or cmd_line matches "*-f *" or
    cmd_line matches "*--force*",
    1, 0)
| eval remote_shutdown = if(cmd_line matches "*/m *" or cmd_line matches "*/m\\\\*", 1, 0)
| eval suspicious_parent = if(
    parent_image matches "*\\cmd.exe" or parent_image matches "*\\powershell.exe" or
    parent_image matches "*\\pwsh.exe" or parent_image matches "*\\wscript.exe" or
    parent_image matches "*\\cscript.exe" or parent_image matches "*\\mshta.exe" or
    parent_image matches "*\\regsvr32.exe" or parent_image matches "*\\rundll32.exe" or
    parent_image matches "*\\msiexec.exe",
    1, 0)
| eval risk_score = is_windows_shutdown + (is_powershell_api * 4) + immediate_shutdown +
                    forced_shutdown + (suspicious_parent * 2) + remote_shutdown
| where risk_score >= 1
| fields _messageTime, Computer, User, image_path, cmd_line, parent_image,
         is_windows_shutdown, is_powershell_api, is_linux_mac_shutdown,
         immediate_shutdown, forced_shutdown, remote_shutdown, suspicious_parent, risk_score
| sort by risk_score desc, _messageTime desc

high severity medium confidence

Data Sources

Sumo Logic Installed Collector (Windows Sysmon) Sumo Logic Installed Collector (Linux syslog/auditd) Sumo Logic Installed Collector (macOS audit)

Required Tables

_sourceCategory=os/windows/sysmon _sourceCategory=os/linux/syslog _sourceCategory=os/macos/audit

False Positives

Automated patch management systems (SCCM, Ansible, Chef, Puppet) that invoke shutdown or reboot commands as part of approved maintenance tasks
Container orchestration or cloud automation (Kubernetes, Terraform, AWS SSM Run Command) that sends reboot signals through legitimate administrative channels
Developers testing shutdown/reboot handling in staging environments where Sysmon or audit logging is enabled and forwarded to production Sumo Logic

Google Chronicle / SecOps

yaral

rule t1529_system_shutdown_reboot {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1529 System Shutdown/Reboot abuse including shutdown.exe with suspicious flags, PowerShell Windows API abuse (ExitWindowsEx, NtRaiseHardError, ZwRaiseHardError), and Linux/macOS native shutdown utilities. Covers destructive malware patterns from WhisperGate, LockerGoga, Olympic Destroyer, and BFG Agonizer."
    mitre_attack_tactic = "Impact"
    mitre_attack_technique = "T1529"
    severity = "HIGH"
    priority = "HIGH"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.target.process.file.full_path != ""

    (
      // Branch 1: Windows shutdown.exe with shutdown/reboot flags
      (
        re.regex($e.target.process.file.full_path, `(?i)(\\|/)shutdown\.exe$`) and
        (
          re.regex($e.target.process.command_line, `(?i)(/s|/r|-s\s|-r\s)`) and
          re.regex($e.target.process.command_line, `(?i)(/t\s*0|-t\s*0|/f|-f\s|/m\s|/m\\\\|\bnow\b)`)
        )
      )
      or
      // Branch 2: Windows shutdown.exe from suspicious parent
      (
        re.regex($e.target.process.file.full_path, `(?i)(\\|/)shutdown\.exe$`) and
        re.regex($e.target.process.command_line, `(?i)(/s|/r|-s\s|-r\s)`) and
        re.regex($e.principal.process.file.full_path,
          `(?i)(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|regsvr32\.exe|rundll32\.exe|msiexec\.exe)$`)
      )
      or
      // Branch 3: PowerShell Windows API abuse
      (
        re.regex($e.target.process.file.full_path, `(?i)(\\|/)(powershell|pwsh)\.exe$`) and
        re.regex($e.target.process.command_line,
          `(?i)(ExitWindowsEx|InitiateSystemShutdown|InitiateSystemShutdownExW|NtRaiseHardError|ZwRaiseHardError|EWX_SHUTDOWN|EWX_REBOOT|EWX_POWEROFF|OptionShutdownSystem|SeShutdownPrivilege)`)
      )
      or
      // Branch 4: Linux/macOS native shutdown utilities
      (
        re.regex($e.target.process.file.full_path, `(^|/)( shutdown|reboot|halt|poweroff)$`) and
        not re.regex($e.target.process.file.full_path, `\.exe$`) and
        (
          $e.principal.asset.platform_software.platform_version = "LINUX" or
          $e.principal.asset.platform_software.platform_version = "MAC"
        )
      )
      or
      // Branch 5: systemctl with destructive subcommands
      (
        re.regex($e.target.process.file.full_path, `(^|/)systemctl$`) and
        re.regex($e.target.process.command_line, `(?i)(poweroff|reboot|halt|shutdown)`) and
        not re.regex($e.target.process.file.full_path, `\.exe$`)
      )
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Chronicle UDM (Google Security Operations) Endpoint telemetry via Chronicle forwarder Windows Sysmon via Chronicle ingestion Linux/macOS audit logs via Chronicle forwarder

Required Tables

UDM Events (PROCESS_LAUNCH)

False Positives

Enterprise endpoint management tools (Microsoft Endpoint Configuration Manager, Jamf, Intune) that issue scheduled shutdowns and reboots via PowerShell or system utilities with /f or /t 0 flags
Linux infrastructure automation using Ansible or SaltStack that calls 'systemctl reboot' or 'shutdown -h now' as part of rolling update pipelines
Cloud instance lifecycle hooks that invoke shutdown commands when auto-scaling groups terminate instances, generating shutdown process events on ephemeral hosts

CrowdStrike LogScale (CQL)

cql

// T1529 System Shutdown/Reboot Detection
// Branch 1: Windows shutdown.exe abuse
#event_simpleName=ProcessRollup2
| FileName = /(?i)^shutdown\.exe$/
| CommandLine = /(?i)(\/s|\/r|-s\s|-r\s|-s$|-r$)/
| case {
    CommandLine = /(?i)(/t\s*0|-t\s*0)/: ImmediateShutdown := "true";
    * : ImmediateShutdown := "false"
  }
| case {
    CommandLine = /(?i)(/f\s|-f\s|--force)/: ForcedShutdown := "true";
    * : ForcedShutdown := "false"
  }
| case {
    CommandLine = /(?i)(/m\s|/m\\\\)/: RemoteShutdown := "true";
    * : RemoteShutdown := "false"
  }
| case {
    ParentBaseFileName = /(?i)(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|regsvr32\.exe|rundll32\.exe|msiexec\.exe)/: SuspiciousParent := "true";
    * : SuspiciousParent := "false"
  }
| RiskScore := 1
| RiskScore := if(ImmediateShutdown = "true", RiskScore + 1, RiskScore)
| RiskScore := if(ForcedShutdown = "true", RiskScore + 1, RiskScore)
| RiskScore := if(RemoteShutdown = "true", RiskScore + 1, RiskScore)
| RiskScore := if(SuspiciousParent = "true", RiskScore + 2, RiskScore)
| DetectionBranch := "WindowsShutdownExe"
| select([@timestamp, ComputerName, UserName, FileName, CommandLine,
          ParentBaseFileName, ImmediateShutdown, ForcedShutdown,
          RemoteShutdown, SuspiciousParent, RiskScore, DetectionBranch])

// Branch 2: PowerShell Windows API abuse
| union [
  #event_simpleName=ProcessRollup2
  | FileName = /(?i)^(powershell|pwsh)\.exe$/
  | CommandLine = /(?i)(ExitWindowsEx|InitiateSystemShutdown|InitiateSystemShutdownExW|NtRaiseHardError|ZwRaiseHardError|EWX_SHUTDOWN|EWX_REBOOT|EWX_POWEROFF|OptionShutdownSystem|SeShutdownPrivilege)/
  | ImmediateShutdown := "true"
  | ForcedShutdown := "true"
  | RemoteShutdown := "false"
  | SuspiciousParent := "true"
  | RiskScore := 4
  | DetectionBranch := "PowerShellAPIAbuse"
  | select([@timestamp, ComputerName, UserName, FileName, CommandLine,
            ParentBaseFileName, ImmediateShutdown, ForcedShutdown,
            RemoteShutdown, SuspiciousParent, RiskScore, DetectionBranch])
]

// Branch 3: Linux/macOS shutdown utilities
| union [
  #event_simpleName=ProcessRollup2
  | FileName = /^(shutdown|reboot|halt|poweroff|systemctl)$/
  | FileName != /\.exe$/
  | case {
      FileName = "systemctl": CommandLine = /(?i)(poweroff|reboot|halt|shutdown)/;
      * : true
    }
  | case {
      CommandLine = /(-t\s*0|\bnow\b|\+0)/: ImmediateShutdown := "true";
      * : ImmediateShutdown := "false"
    }
  | case {
      CommandLine = /(-f\s|--force)/: ForcedShutdown := "true";
      * : ForcedShutdown := "false"
    }
  | RemoteShutdown := "false"
  | case {
      ParentBaseFileName = /(?i)(bash|sh|python|perl|ruby|php|node)/: SuspiciousParent := "true";
      * : SuspiciousParent := "false"
    }
  | RiskScore := 1
  | RiskScore := if(ImmediateShutdown = "true", RiskScore + 1, RiskScore)
  | RiskScore := if(ForcedShutdown = "true", RiskScore + 1, RiskScore)
  | RiskScore := if(SuspiciousParent = "true", RiskScore + 2, RiskScore)
  | DetectionBranch := "LinuxMacShutdown"
  | select([@timestamp, ComputerName, UserName, FileName, CommandLine,
            ParentBaseFileName, ImmediateShutdown, ForcedShutdown,
            RemoteShutdown, SuspiciousParent, RiskScore, DetectionBranch])
]

| where RiskScore >= 1
| sort(RiskScore, order=desc)
| sort(@timestamp, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon EDR Falcon ProcessRollup2 events Falcon for Linux/macOS endpoints

Required Tables

ProcessRollup2 (#event_simpleName=ProcessRollup2)

False Positives

Falcon Real Time Response (RTR) sessions where administrators issue shutdown or reboot commands to remote hosts through the Falcon console, generating ProcessRollup2 events for shutdown.exe
Automated CI/CD pipeline agents (Jenkins, GitLab Runner, GitHub Actions self-hosted) that trigger system reboots after kernel updates or configuration changes via scripts spawning shutdown utilities
Endpoint compliance enforcement tools that detect and remediate drift by rebooting systems to apply group policy or configuration changes, typically spawning shutdown.exe from msiexec.exe or a management agent

Last updated: 2026-04-20 Research depth: deep

References (12)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1529 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

System Shutdown/Reboot

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Impact

Popular Detections