Which SIEM platforms have a T1529 detection rule?

df00tech provides T1529 (System Shutdown/Reboot) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect System Shutdown/Reboot (T1529)?

Detecting System Shutdown/Reboot requires the following data sources: Process: Process Creation, Command: Command Execution, Microsoft Defender for Endpoint.

What severity and confidence is the T1529 detection?

The T1529 detection is rated high severity with medium confidence.

What are common false positives for T1529?

Common false positives for T1529 include: System administrators performing scheduled maintenance reboots via RMM agents (ConnectWise Control, Kaseya VSA, TeamViewer) — these typically spawn from the RMM agent process, not scripting hosts; Windows Update process initiating reboots after patch installation — typically initiated by TrustedInstaller or svchost.exe with wuauserv service tag, with long /t timeout values; Configuration management and patch automation platforms (Ansible WinRM, SCCM, Intune) executing shutdown commands as part of deployment or patch cycles — usually from known service accounts at scheduled times.

T1529 Elastic Security · Elastic

Detect System Shutdown/Reboot in Elastic Security

Adversaries may shutdown or reboot systems to interrupt access to, or aid in the destruction of, those systems. Shutdown and reboot commands exist across all major operating systems and may be invoked locally or remotely. Adversaries commonly pair T1529 with destructive techniques such as disk wiping (T1561) or inhibiting system recovery (T1490) to force destructive effects to take hold after reboot renders the system unbootable. Windows API functions including ExitWindowsEx, InitiateSystemShutdown, NtRaiseHardError, and ZwRaiseHardError are abused to programmatically force shutdowns or trigger blue screens of death (BSOD). Observed extensively in destructive malware: LockerGoga, Olympic Destroyer, WhisperGate (ExitWindowsEx with EWX_SHUTDOWN), AcidRain, AcidPour, Apostle, DCSrv, MultiLayer Wiper, BFG Agonizer (NtRaiseHardError BSOD), and Qilin ransomware targeting backup servers.

MITRE ATT&CK

Tactic: Impact
Technique: T1529 System Shutdown/Reboot
Canonical reference: https://attack.mitre.org/techniques/T1529/

Elastic Detection Query

Elastic Security (Elastic)

eql

sequence by host.name with maxspan=5m
[
  any where event.category == "process" and event.type == "start" and
  (
    (process.name : "shutdown.exe" and process.args : ("/s", "/r", "-s", "-r"))
    or
    (process.name : ("powershell.exe", "pwsh.exe") and
     process.args : ("ExitWindowsEx", "InitiateSystemShutdown", "InitiateSystemShutdownExW",
                     "NtRaiseHardError", "ZwRaiseHardError",
                     "EWX_SHUTDOWN", "EWX_REBOOT", "EWX_POWEROFF",
                     "OptionShutdownSystem", "SeShutdownPrivilege"))
    or
    (process.name : ("shutdown", "reboot", "halt", "poweroff") and
     not process.name : "*.exe" and
     host.os.type : ("linux", "macos"))
    or
    (process.name : "systemctl" and
     process.args : ("poweroff", "reboot", "halt", "shutdown") and
     host.os.type : ("linux", "macos"))
  )
]

// Standalone alert for high-risk single events
process where event.type == "start" and
(
  (
    process.name : "shutdown.exe" and
    process.args : ("/s", "/r", "-s", "-r") and
    (
      process.args : ("/t", "-t") or
      process.args : ("/f", "-f") or
      process.parent.name : ("cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe",
                              "cscript.exe", "mshta.exe", "regsvr32.exe",
                              "rundll32.exe", "msiexec.exe")
    )
  )
  or
  (
    process.name : ("powershell.exe", "pwsh.exe") and
    process.command_line : ("*ExitWindowsEx*", "*InitiateSystemShutdown*",
                            "*NtRaiseHardError*", "*ZwRaiseHardError*",
                            "*EWX_SHUTDOWN*", "*EWX_REBOOT*", "*OptionShutdownSystem*")
  )
)

high severity high confidence

Detects T1529 System Shutdown/Reboot abuse across Windows, Linux, and macOS. Covers three branches: (1) shutdown.exe with suspicious flags or parent processes, (2) PowerShell Windows API abuse (ExitWindowsEx, NtRaiseHardError, ZwRaiseHardError) commonly seen in destructive malware like WhisperGate and LockerGoga, and (3) native Linux/macOS shutdown utilities invoked with force or immediate flags.

Data Sources

Elastic EndpointWinlogbeat with SysmonAuditbeat (Linux/macOS)

Required Tables

logs-endpoint.events.process-*winlogbeat-*auditbeat-*

False Positives & Tuning

Legitimate scheduled maintenance scripts that invoke shutdown.exe or systemctl poweroff during approved maintenance windows
IT administrators performing remote shutdowns via SCCM, Ansible, or similar orchestration tools that spawn shutdown.exe from cmd.exe or PowerShell
Software installers or update mechanisms (e.g., Windows Update, patch management agents) that require reboots and invoke shutdown.exe from msiexec.exe

Download portable Sigma rule (.yml)

Other platforms for T1529

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Windows Shutdown Scheduled and Aborted (Safe Telemetry Test)
Expected signal: Sysmon Event ID 1: Process Create for shutdown.exe with CommandLine containing '/s /t 300 /c df00tech-detection-test'. System Event Log Event ID 1074 recording the initiated shutdown with process name and user SID. Second Sysmon Event ID 1 for shutdown.exe /a (abort, generates its own process creation event). Security Event ID 4688 for both executions if process auditing is enabled.
Test 2Forced Immediate Reboot — Wiper Simulation (Lab VM Only)
Expected signal: Sysmon Event ID 1 (captured before reboot): Image=C:\Windows\System32\shutdown.exe, CommandLine='shutdown.exe /r /f /t 0'. System Event Log Event ID 1074 recorded immediately. Security Event ID 4688 if auditing enabled. After reboot: System Event Log Event ID 6006 (clean shutdown). Prefetch file SHUTDOWN.EXE-*.pf updated.
Test 3PowerShell ExitWindowsEx API Reference (Safe — No Actual Shutdown)
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'ExitWindowsEx'. PowerShell ScriptBlock Log Event ID 4104 in Microsoft-Windows-PowerShell/Operational showing the DllImport declaration. No actual shutdown occurs — P/Invoke signature is defined but the method is never invoked.
Test 4Linux Shutdown Scheduled and Cancelled (Safe Telemetry Test)
Expected signal: Auditd EXECVE syscall record or Sysmon for Linux Event ID 1: execution of shutdown with arguments '-h +15 df00tech-detection-test'. Broadcast message to all logged-in users via wall. Second execution record for shutdown -c with cancellation message. /var/log/syslog or journald entries for both the scheduled shutdown and cancellation. sudo pam_unix authentication log entries.

Last updated: 2026-04-20 Research depth: deep

References (12)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1529 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Related Techniques

T1561Disk Wipe T1561.002Disk Structure Wipe T1490Inhibit System Recovery T1489Service Stop T1485Data Destruction T1134Access Token Manipulation T1059.001PowerShell T1059.008Network Device CLI T1486Data Encrypted for Impact

Detect System Shutdown/Reboot in Elastic Security

MITRE ATT&CK

Elastic Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1529

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Related Techniques

Same Tactic: Impact

Popular Detections

MITRE ATT&CK

Elastic Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1529

Testing Methodology

Unlock Pro Content

Related Detections

Related Techniques

Same Tactic: Impact

Popular Detections

Get new detections in your inbox