T1529 Sumo Logic CSE · Sumo

Detect System Shutdown/Reboot in Sumo Logic CSE

Adversaries may shutdown or reboot systems to interrupt access to, or aid in the destruction of, those systems. Shutdown and reboot commands exist across all major operating systems and may be invoked locally or remotely. Adversaries commonly pair T1529 with destructive techniques such as disk wiping (T1561) or inhibiting system recovery (T1490) to force destructive effects to take hold after reboot renders the system unbootable. Windows API functions including ExitWindowsEx, InitiateSystemShutdown, NtRaiseHardError, and ZwRaiseHardError are abused to programmatically force shutdowns or trigger blue screens of death (BSOD). Observed extensively in destructive malware: LockerGoga, Olympic Destroyer, WhisperGate (ExitWindowsEx with EWX_SHUTDOWN), AcidRain, AcidPour, Apostle, DCSrv, MultiLayer Wiper, BFG Agonizer (NtRaiseHardError BSOD), and Qilin ransomware targeting backup servers.

MITRE ATT&CK

Tactic
Impact
Technique
T1529 System Shutdown/Reboot
Canonical reference
https://attack.mitre.org/techniques/T1529/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
(_sourceCategory="os/windows/sysmon" OR _sourceCategory="os/linux/syslog" OR _sourceCategory="os/macos/audit")
| where EventID = 1 OR EventID = "1" OR _sourceCategory matches "*linux*" OR _sourceCategory matches "*macos*"
| parse field=CommandLine "*" as cmd_line nodrop
| parse field=Image "*" as image_path nodrop
| parse field=ParentImage "*" as parent_image nodrop
| where (
    (image_path matches "*\\shutdown.exe" and (
      cmd_line matches "*/s *" or cmd_line matches "*/r *" or
      cmd_line matches "*-s *" or cmd_line matches "*-r *" or
      cmd_line = "*/s" or cmd_line = "*/r"
    ))
    or (
      (image_path matches "*\\powershell.exe" or image_path matches "*\\pwsh.exe") and (
        cmd_line matches "*ExitWindowsEx*" or cmd_line matches "*InitiateSystemShutdown*" or
        cmd_line matches "*NtRaiseHardError*" or cmd_line matches "*ZwRaiseHardError*" or
        cmd_line matches "*EWX_SHUTDOWN*" or cmd_line matches "*EWX_REBOOT*" or
        cmd_line matches "*EWX_POWEROFF*" or cmd_line matches "*OptionShutdownSystem*" or
        cmd_line matches "*SeShutdownPrivilege*"
      )
    )
    or (
      (image_path matches "*/shutdown" or image_path matches "*/reboot" or
       image_path matches "*/halt" or image_path matches "*/poweroff")
      and not image_path matches "*.exe"
    )
    or (
      image_path matches "*/systemctl" and (
        cmd_line matches "*poweroff*" or cmd_line matches "*reboot*" or
        cmd_line matches "*halt*" or cmd_line matches "*shutdown*"
      )
    )
  )
| eval is_windows_shutdown = if(image_path matches "*\\shutdown.exe", 1, 0)
| eval is_powershell_api = if(
    (image_path matches "*\\powershell.exe" or image_path matches "*\\pwsh.exe") and
    (cmd_line matches "*ExitWindowsEx*" or cmd_line matches "*InitiateSystemShutdown*" or
     cmd_line matches "*NtRaiseHardError*" or cmd_line matches "*ZwRaiseHardError*" or
     cmd_line matches "*EWX_SHUTDOWN*" or cmd_line matches "*EWX_REBOOT*" or
     cmd_line matches "*OptionShutdownSystem*"),
    1, 0)
| eval is_linux_mac_shutdown = if(
    (image_path matches "*/shutdown" or image_path matches "*/reboot" or
     image_path matches "*/halt" or image_path matches "*/poweroff" or
     image_path matches "*/systemctl")
    and not image_path matches "*.exe",
    1, 0)
| eval immediate_shutdown = if(
    cmd_line matches "*/t 0*" or cmd_line matches "*-t 0*" or
    cmd_line matches "* now*" or cmd_line matches "*+0*",
    1, 0)
| eval forced_shutdown = if(
    cmd_line matches "*/f *" or cmd_line matches "*-f *" or
    cmd_line matches "*--force*",
    1, 0)
| eval remote_shutdown = if(cmd_line matches "*/m *" or cmd_line matches "*/m\\\\*", 1, 0)
| eval suspicious_parent = if(
    parent_image matches "*\\cmd.exe" or parent_image matches "*\\powershell.exe" or
    parent_image matches "*\\pwsh.exe" or parent_image matches "*\\wscript.exe" or
    parent_image matches "*\\cscript.exe" or parent_image matches "*\\mshta.exe" or
    parent_image matches "*\\regsvr32.exe" or parent_image matches "*\\rundll32.exe" or
    parent_image matches "*\\msiexec.exe",
    1, 0)
| eval risk_score = is_windows_shutdown + (is_powershell_api * 4) + immediate_shutdown +
                    forced_shutdown + (suspicious_parent * 2) + remote_shutdown
| where risk_score >= 1
| fields _messageTime, Computer, User, image_path, cmd_line, parent_image,
         is_windows_shutdown, is_powershell_api, is_linux_mac_shutdown,
         immediate_shutdown, forced_shutdown, remote_shutdown, suspicious_parent, risk_score
| sort by risk_score desc, _messageTime desc
high severity medium confidence

Detects T1529 System Shutdown/Reboot activity via Sumo Logic by parsing Sysmon EventID 1 (Process Create) and equivalent Linux/macOS process audit events. Applies the same risk scoring model as the KQL/SPL detections: PowerShell Windows API abuse scores highest (4 points), suspicious parent processes score 2 points, and immediate/forced/remote flags each add 1 point. Minimum threshold of risk_score >= 1 ensures broad coverage while suppressing noise.

Data Sources

Sumo Logic Installed Collector (Windows Sysmon)Sumo Logic Installed Collector (Linux syslog/auditd)Sumo Logic Installed Collector (macOS audit)

Required Tables

_sourceCategory=os/windows/sysmon_sourceCategory=os/linux/syslog_sourceCategory=os/macos/audit

False Positives & Tuning

  • Automated patch management systems (SCCM, Ansible, Chef, Puppet) that invoke shutdown or reboot commands as part of approved maintenance tasks
  • Container orchestration or cloud automation (Kubernetes, Terraform, AWS SSM Run Command) that sends reboot signals through legitimate administrative channels
  • Developers testing shutdown/reboot handling in staging environments where Sysmon or audit logging is enabled and forwarded to production Sumo Logic
Download portable Sigma rule (.yml)

Other platforms for T1529

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Windows Shutdown Scheduled and Aborted (Safe Telemetry Test)

    Expected signal: Sysmon Event ID 1: Process Create for shutdown.exe with CommandLine containing '/s /t 300 /c df00tech-detection-test'. System Event Log Event ID 1074 recording the initiated shutdown with process name and user SID. Second Sysmon Event ID 1 for shutdown.exe /a (abort, generates its own process creation event). Security Event ID 4688 for both executions if process auditing is enabled.

  2. Test 2Forced Immediate Reboot — Wiper Simulation (Lab VM Only)

    Expected signal: Sysmon Event ID 1 (captured before reboot): Image=C:\Windows\System32\shutdown.exe, CommandLine='shutdown.exe /r /f /t 0'. System Event Log Event ID 1074 recorded immediately. Security Event ID 4688 if auditing enabled. After reboot: System Event Log Event ID 6006 (clean shutdown). Prefetch file SHUTDOWN.EXE-*.pf updated.

  3. Test 3PowerShell ExitWindowsEx API Reference (Safe — No Actual Shutdown)

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'ExitWindowsEx'. PowerShell ScriptBlock Log Event ID 4104 in Microsoft-Windows-PowerShell/Operational showing the DllImport declaration. No actual shutdown occurs — P/Invoke signature is defined but the method is never invoked.

  4. Test 4Linux Shutdown Scheduled and Cancelled (Safe Telemetry Test)

    Expected signal: Auditd EXECVE syscall record or Sysmon for Linux Event ID 1: execution of shutdown with arguments '-h +15 df00tech-detection-test'. Broadcast message to all logged-in users via wall. Second execution record for shutdown -c with cancellation message. /var/log/syslog or journald entries for both the scheduled shutdown and cancellation. sudo pam_unix authentication log entries.

Last updated: 2026-04-20 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1529 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1561Disk WipeT1561.002Disk Structure WipeT1490Inhibit System RecoveryT1489Service StopT1485Data DestructionT1134Access Token ManipulationT1059.001PowerShellT1059.008Network Device CLIT1486Data Encrypted for Impact

Same Tactic: Impact

Popular Detections