T1529 Microsoft Sentinel · KQL

Detect System Shutdown/Reboot in Microsoft Sentinel

Adversaries may shutdown or reboot systems to interrupt access to, or aid in the destruction of, those systems. Shutdown and reboot commands exist across all major operating systems and may be invoked locally or remotely. Adversaries commonly pair T1529 with destructive techniques such as disk wiping (T1561) or inhibiting system recovery (T1490) to force destructive effects to take hold after reboot renders the system unbootable. Windows API functions including ExitWindowsEx, InitiateSystemShutdown, NtRaiseHardError, and ZwRaiseHardError are abused to programmatically force shutdowns or trigger blue screens of death (BSOD). Observed extensively in destructive malware: LockerGoga, Olympic Destroyer, WhisperGate (ExitWindowsEx with EWX_SHUTDOWN), AcidRain, AcidPour, Apostle, DCSrv, MultiLayer Wiper, BFG Agonizer (NtRaiseHardError BSOD), and Qilin ransomware targeting backup servers.

MITRE ATT&CK

Tactic
Impact
Technique
T1529 System Shutdown/Reboot
Canonical reference
https://attack.mitre.org/techniques/T1529/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
let SuspiciousParents = dynamic(["cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "mshta.exe", "regsvr32.exe", "rundll32.exe", "msiexec.exe"]);
// Branch 1: Windows shutdown.exe
let WindowsShutdown = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "shutdown.exe"
| where ProcessCommandLine has_any ("/s", "/r", "-s", "-r")
| extend ImmediateShutdown = ProcessCommandLine has "/t 0" or ProcessCommandLine has "-t 0"
| extend ForcedShutdown = ProcessCommandLine has "/f" or ProcessCommandLine has "-f"
| extend RemoteShutdown = ProcessCommandLine has "/m"
| extend SuspiciousParent = InitiatingProcessFileName in~ (SuspiciousParents)
| extend RiskScore = toint(ImmediateShutdown) + toint(ForcedShutdown) + toint(SuspiciousParent) * 2
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         ImmediateShutdown, ForcedShutdown, RemoteShutdown, SuspiciousParent, RiskScore,
         DetectionBranch="WindowsShutdownExe";
// Branch 2: PowerShell Windows API abuse (ExitWindowsEx, NtRaiseHardError)
let PowerShellAPIAbuse = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has_any (
    "ExitWindowsEx", "InitiateSystemShutdown", "InitializeSystemShutdownExW",
    "NtRaiseHardError", "ZwRaiseHardError",
    "EWX_SHUTDOWN", "EWX_REBOOT", "EWX_POWEROFF",
    "OptionShutdownSystem", "SeShutdownPrivilege"
  )
| extend ImmediateShutdown = true
| extend ForcedShutdown = true
| extend RemoteShutdown = false
| extend SuspiciousParent = true
| extend RiskScore = 4
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         ImmediateShutdown, ForcedShutdown, RemoteShutdown, SuspiciousParent, RiskScore,
         DetectionBranch="PowerShellAPIAbuse";
// Branch 3: Linux/macOS shutdown utilities
let LinuxMacShutdown = DeviceProcessEvents
| where Timestamp > ago(24h)
| where (
    (FileName in~ ("shutdown", "reboot", "halt", "poweroff"))
    or (FileName =~ "systemctl" and ProcessCommandLine has_any ("poweroff", "reboot", "halt", "shutdown"))
    or (FileName =~ "init" and ProcessCommandLine matches regex @"\s[06]$")
  )
| where DeviceOSPlatform in~ ("Linux", "macOS")
| extend ImmediateShutdown = ProcessCommandLine has_any ("-t 0", "now", "+0")
| extend ForcedShutdown = ProcessCommandLine has_any ("-f", "--force")
| extend RemoteShutdown = false
| extend SuspiciousParent = InitiatingProcessFileName in~ (SuspiciousParents)
| extend RiskScore = toint(ImmediateShutdown) + toint(ForcedShutdown) + toint(SuspiciousParent) * 2
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         ImmediateShutdown, ForcedShutdown, RemoteShutdown, SuspiciousParent, RiskScore,
         DetectionBranch="LinuxMacShutdown";
WindowsShutdown
| union PowerShellAPIAbuse
| union LinuxMacShutdown
| where RiskScore >= 1
| sort by RiskScore desc, Timestamp desc
high severity medium confidence

Detects system shutdown and reboot commands across Windows, Linux, and macOS using Microsoft Defender for Endpoint DeviceProcessEvents. Three detection branches cover: (1) Windows shutdown.exe with /s or /r flags, scored higher for /t 0 (immediate), /f (forced), or suspicious initiating process; (2) PowerShell invoking shutdown-related Windows API functions — ExitWindowsEx, NtRaiseHardError, ZwRaiseHardError, InitiateSystemShutdown — a near-zero false-positive indicator used by WhisperGate and BFG Agonizer; (3) Linux/macOS shutdown, reboot, halt, poweroff, and systemctl poweroff/reboot. Risk scoring allows threshold tuning: RiskScore 1 for routine shutdown commands, 3+ for forced/immediate, 4 for API abuse. Filter to RiskScore >= 3 in high-volume environments.

Data Sources

Process: Process CreationCommand: Command ExecutionMicrosoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives & Tuning

  • System administrators performing scheduled maintenance reboots via RMM agents (ConnectWise Control, Kaseya VSA, TeamViewer) — these typically spawn from the RMM agent process, not scripting hosts
  • Windows Update process initiating reboots after patch installation — typically initiated by TrustedInstaller or svchost.exe with wuauserv service tag, with long /t timeout values
  • Configuration management and patch automation platforms (Ansible WinRM, SCCM, Intune) executing shutdown commands as part of deployment or patch cycles — usually from known service accounts at scheduled times
  • Hypervisor guest agents (VMware Tools vmtoolsd.exe, VirtualBox additions) performing coordinated shutdown during snapshot or migration operations
  • Legitimate helpdesk personnel remotely rebooting endpoints via shutdown /m after troubleshooting sessions — identifiable by the /r flag (reboot, not shutdown) and corresponding helpdesk ticket
Download portable Sigma rule (.yml)

Other platforms for T1529

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Windows Shutdown Scheduled and Aborted (Safe Telemetry Test)

    Expected signal: Sysmon Event ID 1: Process Create for shutdown.exe with CommandLine containing '/s /t 300 /c df00tech-detection-test'. System Event Log Event ID 1074 recording the initiated shutdown with process name and user SID. Second Sysmon Event ID 1 for shutdown.exe /a (abort, generates its own process creation event). Security Event ID 4688 for both executions if process auditing is enabled.

  2. Test 2Forced Immediate Reboot — Wiper Simulation (Lab VM Only)

    Expected signal: Sysmon Event ID 1 (captured before reboot): Image=C:\Windows\System32\shutdown.exe, CommandLine='shutdown.exe /r /f /t 0'. System Event Log Event ID 1074 recorded immediately. Security Event ID 4688 if auditing enabled. After reboot: System Event Log Event ID 6006 (clean shutdown). Prefetch file SHUTDOWN.EXE-*.pf updated.

  3. Test 3PowerShell ExitWindowsEx API Reference (Safe — No Actual Shutdown)

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'ExitWindowsEx'. PowerShell ScriptBlock Log Event ID 4104 in Microsoft-Windows-PowerShell/Operational showing the DllImport declaration. No actual shutdown occurs — P/Invoke signature is defined but the method is never invoked.

  4. Test 4Linux Shutdown Scheduled and Cancelled (Safe Telemetry Test)

    Expected signal: Auditd EXECVE syscall record or Sysmon for Linux Event ID 1: execution of shutdown with arguments '-h +15 df00tech-detection-test'. Broadcast message to all logged-in users via wall. Second execution record for shutdown -c with cancellation message. /var/log/syslog or journald entries for both the scheduled shutdown and cancellation. sudo pam_unix authentication log entries.

Last updated: 2026-04-20 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1529 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1561Disk WipeT1561.002Disk Structure WipeT1490Inhibit System RecoveryT1489Service StopT1485Data DestructionT1134Access Token ManipulationT1059.001PowerShellT1059.008Network Device CLIT1486Data Encrypted for Impact

Same Tactic: Impact

Popular Detections