Detect System Shutdown/Reboot in IBM QRadar
Adversaries may shutdown or reboot systems to interrupt access to, or aid in the destruction of, those systems. Shutdown and reboot commands exist across all major operating systems and may be invoked locally or remotely. Adversaries commonly pair T1529 with destructive techniques such as disk wiping (T1561) or inhibiting system recovery (T1490) to force destructive effects to take hold after reboot renders the system unbootable. Windows API functions including ExitWindowsEx, InitiateSystemShutdown, NtRaiseHardError, and ZwRaiseHardError are abused to programmatically force shutdowns or trigger blue screens of death (BSOD). Observed extensively in destructive malware: LockerGoga, Olympic Destroyer, WhisperGate (ExitWindowsEx with EWX_SHUTDOWN), AcidRain, AcidPour, Apostle, DCSrv, MultiLayer Wiper, BFG Agonizer (NtRaiseHardError BSOD), and Qilin ransomware targeting backup servers.
MITRE ATT&CK
- Tactic
- Impact
- Technique
- T1529 System Shutdown/Reboot
- Canonical reference
- https://attack.mitre.org/techniques/T1529/
QRadar Detection Query
SELECT
DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
sourceip,
username,
"Process Name" AS process_name,
"Command" AS command_line,
"Parent Process Name" AS parent_process,
CATEGORYNAME(category) AS event_category,
LOGSOURCETYPENAME(logsourcetypeid) AS log_source_type,
CASE
WHEN LOWER("Process Name") LIKE '%shutdown.exe%' THEN 1
ELSE 0
END +
CASE
WHEN LOWER("Command") LIKE '%exitwindowsex%'
OR LOWER("Command") LIKE '%initiatesystemshutdown%'
OR LOWER("Command") LIKE '%ntraiseharderror%'
OR LOWER("Command") LIKE '%zwraiseharderror%'
OR LOWER("Command") LIKE '%ewx_shutdown%'
OR LOWER("Command") LIKE '%ewx_reboot%'
OR LOWER("Command") LIKE '%optionshutdownsystem%' THEN 4
ELSE 0
END +
CASE
WHEN LOWER("Command") LIKE '%/t 0%' OR LOWER("Command") LIKE '%-t 0%'
OR LOWER("Command") LIKE '%now%' THEN 1
ELSE 0
END +
CASE
WHEN LOWER("Command") LIKE '%/f%' OR LOWER("Command") LIKE '%-f %'
OR LOWER("Command") LIKE '%--force%' THEN 1
ELSE 0
END +
CASE
WHEN LOWER("Parent Process Name") LIKE '%cmd.exe%'
OR LOWER("Parent Process Name") LIKE '%powershell.exe%'
OR LOWER("Parent Process Name") LIKE '%pwsh.exe%'
OR LOWER("Parent Process Name") LIKE '%wscript.exe%'
OR LOWER("Parent Process Name") LIKE '%cscript.exe%'
OR LOWER("Parent Process Name") LIKE '%mshta.exe%'
OR LOWER("Parent Process Name") LIKE '%regsvr32.exe%'
OR LOWER("Parent Process Name") LIKE '%rundll32.exe%'
OR LOWER("Parent Process Name") LIKE '%msiexec.exe%' THEN 2
ELSE 0
END AS risk_score
FROM events
WHERE
LOGSOURCETYPEID IN (
SELECT id FROM logsourcetypes WHERE name LIKE '%Sysmon%'
OR name LIKE '%Windows%Security%'
OR name LIKE '%Audit%'
)
AND starttime > (NOW() - 86400000)
AND (
(
LOWER("Process Name") LIKE '%shutdown.exe%'
AND (
LOWER("Command") LIKE '%/s%' OR LOWER("Command") LIKE '%/r%'
OR LOWER("Command") LIKE '%-s %' OR LOWER("Command") LIKE '%-r %'
)
)
OR (
(LOWER("Process Name") LIKE '%powershell.exe%' OR LOWER("Process Name") LIKE '%pwsh.exe%')
AND (
LOWER("Command") LIKE '%exitwindowsex%'
OR LOWER("Command") LIKE '%initiatesystemshutdown%'
OR LOWER("Command") LIKE '%ntraiseharderror%'
OR LOWER("Command") LIKE '%zwraiseharderror%'
OR LOWER("Command") LIKE '%ewx_shutdown%'
OR LOWER("Command") LIKE '%ewx_reboot%'
OR LOWER("Command") LIKE '%optionshutdownsystem%'
OR LOWER("Command") LIKE '%seshutdownprivilege%'
)
)
OR (
(
LOWER("Process Name") LIKE '%/shutdown'
OR LOWER("Process Name") LIKE '%/reboot'
OR LOWER("Process Name") LIKE '%/halt'
OR LOWER("Process Name") LIKE '%/poweroff'
)
AND LOWER("Process Name") NOT LIKE '%.exe'
)
OR (
LOWER("Process Name") LIKE '%systemctl%'
AND (
LOWER("Command") LIKE '%poweroff%'
OR LOWER("Command") LIKE '%reboot%'
OR LOWER("Command") LIKE '%halt%'
)
)
)
HAVING risk_score >= 1
ORDER BY risk_score DESC, event_time DESCDetects T1529 System Shutdown/Reboot activity via QRadar AQL by correlating process execution events across Windows Sysmon and Security logs. Covers shutdown.exe abuse, PowerShell Windows API invocations (ExitWindowsEx, NtRaiseHardError, ZwRaiseHardError), and Linux/macOS native shutdown utilities. Risk scoring mirrors the KQL/SPL approach with weighted scoring for API abuse and suspicious parent processes.
Data Sources
Required Tables
False Positives & Tuning
- Scheduled patch management reboots triggered by SCCM, WSUS, or similar enterprise tools that invoke shutdown.exe from authorized parent processes
- Linux cron-based maintenance scripts that call 'systemctl reboot' or 'shutdown -r now' during approved maintenance windows
- Security testing or red team exercises that exercise shutdown API calls in isolated lab environments logged to production QRadar
Other platforms for T1529
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Windows Shutdown Scheduled and Aborted (Safe Telemetry Test)
Expected signal: Sysmon Event ID 1: Process Create for shutdown.exe with CommandLine containing '/s /t 300 /c df00tech-detection-test'. System Event Log Event ID 1074 recording the initiated shutdown with process name and user SID. Second Sysmon Event ID 1 for shutdown.exe /a (abort, generates its own process creation event). Security Event ID 4688 for both executions if process auditing is enabled.
- Test 2Forced Immediate Reboot — Wiper Simulation (Lab VM Only)
Expected signal: Sysmon Event ID 1 (captured before reboot): Image=C:\Windows\System32\shutdown.exe, CommandLine='shutdown.exe /r /f /t 0'. System Event Log Event ID 1074 recorded immediately. Security Event ID 4688 if auditing enabled. After reboot: System Event Log Event ID 6006 (clean shutdown). Prefetch file SHUTDOWN.EXE-*.pf updated.
- Test 3PowerShell ExitWindowsEx API Reference (Safe — No Actual Shutdown)
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'ExitWindowsEx'. PowerShell ScriptBlock Log Event ID 4104 in Microsoft-Windows-PowerShell/Operational showing the DllImport declaration. No actual shutdown occurs — P/Invoke signature is defined but the method is never invoked.
- Test 4Linux Shutdown Scheduled and Cancelled (Safe Telemetry Test)
Expected signal: Auditd EXECVE syscall record or Sysmon for Linux Event ID 1: execution of shutdown with arguments '-h +15 df00tech-detection-test'. Broadcast message to all logged-in users via wall. Second execution record for shutdown -c with cancellation message. /var/log/syslog or journald entries for both the scheduled shutdown and cancellation. sudo pam_unix authentication log entries.
References (12)
- https://attack.mitre.org/techniques/T1529/
- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/shutdown
- https://unit42.paloaltonetworks.com/agonizing-serpens-targets-israeli-tech-higher-ed-sectors/
- https://www.crowdstrike.com/en-us/blog/how-crowdstrike-falcon-protects-against-wiper-malware-used-in-ukraine-attacks/
- https://blog.talosintelligence.com/2018/02/olympic-destroyer.html
- https://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html
- https://www.sentinelone.com/labs/acidpour-new-embedded-wiper-variant-of-acidrain-appears-in-ukraine/
- https://research.checkpoint.com/2021/mosesstaff-targeting-israeli-companies/
- https://www.sonicwall.com/blog/disarming-darkgate-a-deep-dive-into-thwarting-the-latest-darkgate-variant
- https://ntdoc.m417z.com/ntraiseharderror
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md
- https://www.cisa.gov/uscert/ncas/alerts/TA18-106A
Unlock Pro Content
Get the full detection package for T1529 including response playbook, investigation guide, and atomic red team tests.