T1529 Splunk · SPL

Detect System Shutdown/Reboot in Splunk

Adversaries may shutdown or reboot systems to interrupt access to, or aid in the destruction of, those systems. Shutdown and reboot commands exist across all major operating systems and may be invoked locally or remotely. Adversaries commonly pair T1529 with destructive techniques such as disk wiping (T1561) or inhibiting system recovery (T1490) to force destructive effects to take hold after reboot renders the system unbootable. Windows API functions including ExitWindowsEx, InitiateSystemShutdown, NtRaiseHardError, and ZwRaiseHardError are abused to programmatically force shutdowns or trigger blue screens of death (BSOD). Observed extensively in destructive malware: LockerGoga, Olympic Destroyer, WhisperGate (ExitWindowsEx with EWX_SHUTDOWN), AcidRain, AcidPour, Apostle, DCSrv, MultiLayer Wiper, BFG Agonizer (NtRaiseHardError BSOD), and Qilin ransomware targeting backup servers.

MITRE ATT&CK

Tactic
Impact
Technique
T1529 System Shutdown/Reboot
Canonical reference
https://attack.mitre.org/techniques/T1529/

SPL Detection Query

Splunk (SPL)
spl 
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
(
  (Image="*\\shutdown.exe" AND (CommandLine="*/s *" OR CommandLine="*/r *" OR CommandLine="*-s *" OR CommandLine="*-r *" OR CommandLine="*/s" OR CommandLine="*/r"))
  OR ((Image="*\\powershell.exe" OR Image="*\\pwsh.exe")
      AND (CommandLine="*ExitWindowsEx*" OR CommandLine="*InitiateSystemShutdown*" OR CommandLine="*NtRaiseHardError*"
           OR CommandLine="*ZwRaiseHardError*" OR CommandLine="*EWX_SHUTDOWN*" OR CommandLine="*EWX_REBOOT*"
           OR CommandLine="*OptionShutdownSystem*" OR CommandLine="*SeShutdownPrivilege*"))
  OR (match(Image, "/(shutdown|reboot|halt|poweroff)$") AND NOT match(Image, "\.exe$"))
  OR (Image="*/systemctl" AND (CommandLine="*poweroff*" OR CommandLine="*reboot*" OR CommandLine="*halt*"))
)
| eval IsWindowsShutdownExe=if(match(Image, "\\\\shutdown\.exe$"), 1, 0)
| eval IsPowerShellAPI=if(match(lower(CommandLine), "(exitwindowsex|initiatesystemshutdown|initializesystemshutdownexw|ntraiseharderror|zwraiseharderror|ewx_shutdown|ewx_reboot|ewx_poweroff|optionshutdownsystem|seshutdownprivilege)"), 1, 0)
| eval IsLinuxMacShutdown=if(match(Image, "/(shutdown|reboot|halt|poweroff|systemctl)$") AND NOT match(Image, "\.exe"), 1, 0)
| eval ImmediateShutdown=if(match(CommandLine, "(/t\s*0|-t\s*0|\bnow\b|\+0)"), 1, 0)
| eval ForcedShutdown=if(match(CommandLine, "(/f[\s"]|-f[\s"]|--force)"), 1, 0)
| eval RemoteShutdown=if(match(CommandLine, "(/m\s|/m\\\\)"), 1, 0)
| eval SuspiciousParent=if(match(ParentImage, "(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|regsvr32\.exe|rundll32\.exe|msiexec\.exe)"), 1, 0)
| eval RiskScore=IsWindowsShutdownExe + (IsPowerShellAPI * 4) + ImmediateShutdown + ForcedShutdown + (SuspiciousParent * 2) + RemoteShutdown
| where RiskScore >= 1
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine,
        IsWindowsShutdownExe, IsPowerShellAPI, IsLinuxMacShutdown,
        ImmediateShutdown, ForcedShutdown, RemoteShutdown, SuspiciousParent, RiskScore
| sort - RiskScore - _time
high severity medium confidence

Detects system shutdown and reboot commands using Sysmon Event ID 1 (Process Creation). Four detection branches covering Windows shutdown.exe, PowerShell Windows API abuse (ExitWindowsEx, NtRaiseHardError, ZwRaiseHardError), and Linux/macOS shutdown utilities (shutdown, reboot, halt, poweroff, systemctl). Risk scoring: PowerShell API abuse scores 4 baseline (near-zero false positive rate), suspicious parent process scores +2, immediate (/t 0 or 'now') and forced (/f) flags each score +1. Events with RiskScore >= 3 warrant immediate escalation; >= 5 indicates confirmed malicious pattern. Tune threshold in high-volume environments by raising minimum RiskScore.

Data Sources

Process: Process CreationCommand: Command ExecutionSysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • System administrators performing scheduled maintenance reboots via RMM agents — identifiable by known RMM agent parent processes (ConnectWise, Kaseya, TeamViewer) at expected maintenance windows
  • Windows Update reboots — parent process is typically TrustedInstaller or svchost.exe with long timeout values and predictable scheduling
  • Configuration management platforms (Ansible, SCCM, Intune) executing shutdown commands during patch cycles — known service accounts at scheduled times
  • Hypervisor guest agents performing coordinated shutdown during snapshot or live migration operations
  • Legitimate helpdesk remote reboot sessions — correlate with ticketing system records and RMM session logs
Download portable Sigma rule (.yml)

Other platforms for T1529

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Windows Shutdown Scheduled and Aborted (Safe Telemetry Test)

    Expected signal: Sysmon Event ID 1: Process Create for shutdown.exe with CommandLine containing '/s /t 300 /c df00tech-detection-test'. System Event Log Event ID 1074 recording the initiated shutdown with process name and user SID. Second Sysmon Event ID 1 for shutdown.exe /a (abort, generates its own process creation event). Security Event ID 4688 for both executions if process auditing is enabled.

  2. Test 2Forced Immediate Reboot — Wiper Simulation (Lab VM Only)

    Expected signal: Sysmon Event ID 1 (captured before reboot): Image=C:\Windows\System32\shutdown.exe, CommandLine='shutdown.exe /r /f /t 0'. System Event Log Event ID 1074 recorded immediately. Security Event ID 4688 if auditing enabled. After reboot: System Event Log Event ID 6006 (clean shutdown). Prefetch file SHUTDOWN.EXE-*.pf updated.

  3. Test 3PowerShell ExitWindowsEx API Reference (Safe — No Actual Shutdown)

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'ExitWindowsEx'. PowerShell ScriptBlock Log Event ID 4104 in Microsoft-Windows-PowerShell/Operational showing the DllImport declaration. No actual shutdown occurs — P/Invoke signature is defined but the method is never invoked.

  4. Test 4Linux Shutdown Scheduled and Cancelled (Safe Telemetry Test)

    Expected signal: Auditd EXECVE syscall record or Sysmon for Linux Event ID 1: execution of shutdown with arguments '-h +15 df00tech-detection-test'. Broadcast message to all logged-in users via wall. Second execution record for shutdown -c with cancellation message. /var/log/syslog or journald entries for both the scheduled shutdown and cancellation. sudo pam_unix authentication log entries.

Last updated: 2026-04-20 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1529 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1561Disk WipeT1561.002Disk Structure WipeT1490Inhibit System RecoveryT1489Service StopT1485Data DestructionT1134Access Token ManipulationT1059.001PowerShellT1059.008Network Device CLIT1486Data Encrypted for Impact

Same Tactic: Impact

Popular Detections