Detect System Shutdown/Reboot in CrowdStrike LogScale
Adversaries may shutdown or reboot systems to interrupt access to, or aid in the destruction of, those systems. Shutdown and reboot commands exist across all major operating systems and may be invoked locally or remotely. Adversaries commonly pair T1529 with destructive techniques such as disk wiping (T1561) or inhibiting system recovery (T1490) to force destructive effects to take hold after reboot renders the system unbootable. Windows API functions including ExitWindowsEx, InitiateSystemShutdown, NtRaiseHardError, and ZwRaiseHardError are abused to programmatically force shutdowns or trigger blue screens of death (BSOD). Observed extensively in destructive malware: LockerGoga, Olympic Destroyer, WhisperGate (ExitWindowsEx with EWX_SHUTDOWN), AcidRain, AcidPour, Apostle, DCSrv, MultiLayer Wiper, BFG Agonizer (NtRaiseHardError BSOD), and Qilin ransomware targeting backup servers.
MITRE ATT&CK
- Tactic
- Impact
- Technique
- T1529 System Shutdown/Reboot
- Canonical reference
- https://attack.mitre.org/techniques/T1529/
LogScale Detection Query
// T1529 System Shutdown/Reboot Detection
// Branch 1: Windows shutdown.exe abuse
#event_simpleName=ProcessRollup2
| FileName = /(?i)^shutdown\.exe$/
| CommandLine = /(?i)(\/s|\/r|-s\s|-r\s|-s$|-r$)/
| case {
CommandLine = /(?i)(/t\s*0|-t\s*0)/: ImmediateShutdown := "true";
* : ImmediateShutdown := "false"
}
| case {
CommandLine = /(?i)(/f\s|-f\s|--force)/: ForcedShutdown := "true";
* : ForcedShutdown := "false"
}
| case {
CommandLine = /(?i)(/m\s|/m\\\\)/: RemoteShutdown := "true";
* : RemoteShutdown := "false"
}
| case {
ParentBaseFileName = /(?i)(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|regsvr32\.exe|rundll32\.exe|msiexec\.exe)/: SuspiciousParent := "true";
* : SuspiciousParent := "false"
}
| RiskScore := 1
| RiskScore := if(ImmediateShutdown = "true", RiskScore + 1, RiskScore)
| RiskScore := if(ForcedShutdown = "true", RiskScore + 1, RiskScore)
| RiskScore := if(RemoteShutdown = "true", RiskScore + 1, RiskScore)
| RiskScore := if(SuspiciousParent = "true", RiskScore + 2, RiskScore)
| DetectionBranch := "WindowsShutdownExe"
| select([@timestamp, ComputerName, UserName, FileName, CommandLine,
ParentBaseFileName, ImmediateShutdown, ForcedShutdown,
RemoteShutdown, SuspiciousParent, RiskScore, DetectionBranch])
// Branch 2: PowerShell Windows API abuse
| union [
#event_simpleName=ProcessRollup2
| FileName = /(?i)^(powershell|pwsh)\.exe$/
| CommandLine = /(?i)(ExitWindowsEx|InitiateSystemShutdown|InitiateSystemShutdownExW|NtRaiseHardError|ZwRaiseHardError|EWX_SHUTDOWN|EWX_REBOOT|EWX_POWEROFF|OptionShutdownSystem|SeShutdownPrivilege)/
| ImmediateShutdown := "true"
| ForcedShutdown := "true"
| RemoteShutdown := "false"
| SuspiciousParent := "true"
| RiskScore := 4
| DetectionBranch := "PowerShellAPIAbuse"
| select([@timestamp, ComputerName, UserName, FileName, CommandLine,
ParentBaseFileName, ImmediateShutdown, ForcedShutdown,
RemoteShutdown, SuspiciousParent, RiskScore, DetectionBranch])
]
// Branch 3: Linux/macOS shutdown utilities
| union [
#event_simpleName=ProcessRollup2
| FileName = /^(shutdown|reboot|halt|poweroff|systemctl)$/
| FileName != /\.exe$/
| case {
FileName = "systemctl": CommandLine = /(?i)(poweroff|reboot|halt|shutdown)/;
* : true
}
| case {
CommandLine = /(-t\s*0|\bnow\b|\+0)/: ImmediateShutdown := "true";
* : ImmediateShutdown := "false"
}
| case {
CommandLine = /(-f\s|--force)/: ForcedShutdown := "true";
* : ForcedShutdown := "false"
}
| RemoteShutdown := "false"
| case {
ParentBaseFileName = /(?i)(bash|sh|python|perl|ruby|php|node)/: SuspiciousParent := "true";
* : SuspiciousParent := "false"
}
| RiskScore := 1
| RiskScore := if(ImmediateShutdown = "true", RiskScore + 1, RiskScore)
| RiskScore := if(ForcedShutdown = "true", RiskScore + 1, RiskScore)
| RiskScore := if(SuspiciousParent = "true", RiskScore + 2, RiskScore)
| DetectionBranch := "LinuxMacShutdown"
| select([@timestamp, ComputerName, UserName, FileName, CommandLine,
ParentBaseFileName, ImmediateShutdown, ForcedShutdown,
RemoteShutdown, SuspiciousParent, RiskScore, DetectionBranch])
]
| where RiskScore >= 1
| sort(RiskScore, order=desc)
| sort(@timestamp, order=desc)CrowdStrike LogScale (CQL) detection for T1529 System Shutdown/Reboot using Falcon ProcessRollup2 telemetry. Three unioned branches detect: (1) shutdown.exe invocations with shutdown/reboot flags, risk-scored by immediate, forced, and remote options plus suspicious parent processes; (2) PowerShell/pwsh invoking Windows API functions used by destructive malware (ExitWindowsEx, NtRaiseHardError, ZwRaiseHardError, EWX_SHUTDOWN); and (3) Linux/macOS native shutdown utilities (shutdown, reboot, halt, poweroff, systemctl) with suspicious interpreter parents. Events with risk_score >= 1 are surfaced, sorted by score descending.
Data Sources
Required Tables
False Positives & Tuning
- Falcon Real Time Response (RTR) sessions where administrators issue shutdown or reboot commands to remote hosts through the Falcon console, generating ProcessRollup2 events for shutdown.exe
- Automated CI/CD pipeline agents (Jenkins, GitLab Runner, GitHub Actions self-hosted) that trigger system reboots after kernel updates or configuration changes via scripts spawning shutdown utilities
- Endpoint compliance enforcement tools that detect and remediate drift by rebooting systems to apply group policy or configuration changes, typically spawning shutdown.exe from msiexec.exe or a management agent
Other platforms for T1529
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Windows Shutdown Scheduled and Aborted (Safe Telemetry Test)
Expected signal: Sysmon Event ID 1: Process Create for shutdown.exe with CommandLine containing '/s /t 300 /c df00tech-detection-test'. System Event Log Event ID 1074 recording the initiated shutdown with process name and user SID. Second Sysmon Event ID 1 for shutdown.exe /a (abort, generates its own process creation event). Security Event ID 4688 for both executions if process auditing is enabled.
- Test 2Forced Immediate Reboot — Wiper Simulation (Lab VM Only)
Expected signal: Sysmon Event ID 1 (captured before reboot): Image=C:\Windows\System32\shutdown.exe, CommandLine='shutdown.exe /r /f /t 0'. System Event Log Event ID 1074 recorded immediately. Security Event ID 4688 if auditing enabled. After reboot: System Event Log Event ID 6006 (clean shutdown). Prefetch file SHUTDOWN.EXE-*.pf updated.
- Test 3PowerShell ExitWindowsEx API Reference (Safe — No Actual Shutdown)
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'ExitWindowsEx'. PowerShell ScriptBlock Log Event ID 4104 in Microsoft-Windows-PowerShell/Operational showing the DllImport declaration. No actual shutdown occurs — P/Invoke signature is defined but the method is never invoked.
- Test 4Linux Shutdown Scheduled and Cancelled (Safe Telemetry Test)
Expected signal: Auditd EXECVE syscall record or Sysmon for Linux Event ID 1: execution of shutdown with arguments '-h +15 df00tech-detection-test'. Broadcast message to all logged-in users via wall. Second execution record for shutdown -c with cancellation message. /var/log/syslog or journald entries for both the scheduled shutdown and cancellation. sudo pam_unix authentication log entries.
References (12)
- https://attack.mitre.org/techniques/T1529/
- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/shutdown
- https://unit42.paloaltonetworks.com/agonizing-serpens-targets-israeli-tech-higher-ed-sectors/
- https://www.crowdstrike.com/en-us/blog/how-crowdstrike-falcon-protects-against-wiper-malware-used-in-ukraine-attacks/
- https://blog.talosintelligence.com/2018/02/olympic-destroyer.html
- https://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html
- https://www.sentinelone.com/labs/acidpour-new-embedded-wiper-variant-of-acidrain-appears-in-ukraine/
- https://research.checkpoint.com/2021/mosesstaff-targeting-israeli-companies/
- https://www.sonicwall.com/blog/disarming-darkgate-a-deep-dive-into-thwarting-the-latest-darkgate-variant
- https://ntdoc.m417z.com/ntraiseharderror
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md
- https://www.cisa.gov/uscert/ncas/alerts/TA18-106A
Unlock Pro Content
Get the full detection package for T1529 including response playbook, investigation guide, and atomic red team tests.