T1529 Google Chronicle · YARA-L

Detect System Shutdown/Reboot in Google Chronicle

Adversaries may shutdown or reboot systems to interrupt access to, or aid in the destruction of, those systems. Shutdown and reboot commands exist across all major operating systems and may be invoked locally or remotely. Adversaries commonly pair T1529 with destructive techniques such as disk wiping (T1561) or inhibiting system recovery (T1490) to force destructive effects to take hold after reboot renders the system unbootable. Windows API functions including ExitWindowsEx, InitiateSystemShutdown, NtRaiseHardError, and ZwRaiseHardError are abused to programmatically force shutdowns or trigger blue screens of death (BSOD). Observed extensively in destructive malware: LockerGoga, Olympic Destroyer, WhisperGate (ExitWindowsEx with EWX_SHUTDOWN), AcidRain, AcidPour, Apostle, DCSrv, MultiLayer Wiper, BFG Agonizer (NtRaiseHardError BSOD), and Qilin ransomware targeting backup servers.

MITRE ATT&CK

Tactic
Impact
Technique
T1529 System Shutdown/Reboot
Canonical reference
https://attack.mitre.org/techniques/T1529/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule t1529_system_shutdown_reboot {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1529 System Shutdown/Reboot abuse including shutdown.exe with suspicious flags, PowerShell Windows API abuse (ExitWindowsEx, NtRaiseHardError, ZwRaiseHardError), and Linux/macOS native shutdown utilities. Covers destructive malware patterns from WhisperGate, LockerGoga, Olympic Destroyer, and BFG Agonizer."
    mitre_attack_tactic = "Impact"
    mitre_attack_technique = "T1529"
    severity = "HIGH"
    priority = "HIGH"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.target.process.file.full_path != ""

    (
      // Branch 1: Windows shutdown.exe with shutdown/reboot flags
      (
        re.regex($e.target.process.file.full_path, `(?i)(\\|/)shutdown\.exe$`) and
        (
          re.regex($e.target.process.command_line, `(?i)(/s|/r|-s\s|-r\s)`) and
          re.regex($e.target.process.command_line, `(?i)(/t\s*0|-t\s*0|/f|-f\s|/m\s|/m\\\\|\bnow\b)`)
        )
      )
      or
      // Branch 2: Windows shutdown.exe from suspicious parent
      (
        re.regex($e.target.process.file.full_path, `(?i)(\\|/)shutdown\.exe$`) and
        re.regex($e.target.process.command_line, `(?i)(/s|/r|-s\s|-r\s)`) and
        re.regex($e.principal.process.file.full_path,
          `(?i)(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|regsvr32\.exe|rundll32\.exe|msiexec\.exe)$`)
      )
      or
      // Branch 3: PowerShell Windows API abuse
      (
        re.regex($e.target.process.file.full_path, `(?i)(\\|/)(powershell|pwsh)\.exe$`) and
        re.regex($e.target.process.command_line,
          `(?i)(ExitWindowsEx|InitiateSystemShutdown|InitiateSystemShutdownExW|NtRaiseHardError|ZwRaiseHardError|EWX_SHUTDOWN|EWX_REBOOT|EWX_POWEROFF|OptionShutdownSystem|SeShutdownPrivilege)`)
      )
      or
      // Branch 4: Linux/macOS native shutdown utilities
      (
        re.regex($e.target.process.file.full_path, `(^|/)( shutdown|reboot|halt|poweroff)$`) and
        not re.regex($e.target.process.file.full_path, `\.exe$`) and
        (
          $e.principal.asset.platform_software.platform_version = "LINUX" or
          $e.principal.asset.platform_software.platform_version = "MAC"
        )
      )
      or
      // Branch 5: systemctl with destructive subcommands
      (
        re.regex($e.target.process.file.full_path, `(^|/)systemctl$`) and
        re.regex($e.target.process.command_line, `(?i)(poweroff|reboot|halt|shutdown)`) and
        not re.regex($e.target.process.file.full_path, `\.exe$`)
      )
    )

  condition:
    $e
}
high severity high confidence

Chronicle YARA-L 2.0 rule detecting T1529 System Shutdown/Reboot abuse across Windows, Linux, and macOS endpoints. Five detection branches cover: shutdown.exe with immediate/forced/remote flags, shutdown.exe spawned from suspicious LOLBin parents (cmd, wscript, mshta, etc.), PowerShell invoking Windows API shutdown functions (ExitWindowsEx, NtRaiseHardError, ZwRaiseHardError) as seen in destructive malware, and Linux/macOS native shutdown utilities including systemctl.

Data Sources

Chronicle UDM (Google Security Operations)Endpoint telemetry via Chronicle forwarderWindows Sysmon via Chronicle ingestionLinux/macOS audit logs via Chronicle forwarder

Required Tables

UDM Events (PROCESS_LAUNCH)

False Positives & Tuning

  • Enterprise endpoint management tools (Microsoft Endpoint Configuration Manager, Jamf, Intune) that issue scheduled shutdowns and reboots via PowerShell or system utilities with /f or /t 0 flags
  • Linux infrastructure automation using Ansible or SaltStack that calls 'systemctl reboot' or 'shutdown -h now' as part of rolling update pipelines
  • Cloud instance lifecycle hooks that invoke shutdown commands when auto-scaling groups terminate instances, generating shutdown process events on ephemeral hosts
Download portable Sigma rule (.yml)

Other platforms for T1529

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Windows Shutdown Scheduled and Aborted (Safe Telemetry Test)

    Expected signal: Sysmon Event ID 1: Process Create for shutdown.exe with CommandLine containing '/s /t 300 /c df00tech-detection-test'. System Event Log Event ID 1074 recording the initiated shutdown with process name and user SID. Second Sysmon Event ID 1 for shutdown.exe /a (abort, generates its own process creation event). Security Event ID 4688 for both executions if process auditing is enabled.

  2. Test 2Forced Immediate Reboot — Wiper Simulation (Lab VM Only)

    Expected signal: Sysmon Event ID 1 (captured before reboot): Image=C:\Windows\System32\shutdown.exe, CommandLine='shutdown.exe /r /f /t 0'. System Event Log Event ID 1074 recorded immediately. Security Event ID 4688 if auditing enabled. After reboot: System Event Log Event ID 6006 (clean shutdown). Prefetch file SHUTDOWN.EXE-*.pf updated.

  3. Test 3PowerShell ExitWindowsEx API Reference (Safe — No Actual Shutdown)

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'ExitWindowsEx'. PowerShell ScriptBlock Log Event ID 4104 in Microsoft-Windows-PowerShell/Operational showing the DllImport declaration. No actual shutdown occurs — P/Invoke signature is defined but the method is never invoked.

  4. Test 4Linux Shutdown Scheduled and Cancelled (Safe Telemetry Test)

    Expected signal: Auditd EXECVE syscall record or Sysmon for Linux Event ID 1: execution of shutdown with arguments '-h +15 df00tech-detection-test'. Broadcast message to all logged-in users via wall. Second execution record for shutdown -c with cancellation message. /var/log/syslog or journald entries for both the scheduled shutdown and cancellation. sudo pam_unix authentication log entries.

Last updated: 2026-04-20 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1529 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1561Disk WipeT1561.002Disk Structure WipeT1490Inhibit System RecoveryT1489Service StopT1485Data DestructionT1134Access Token ManipulationT1059.001PowerShellT1059.008Network Device CLIT1486Data Encrypted for Impact

Same Tactic: Impact

Popular Detections