title: System Shutdown/Reboot (T1529)
id: df00tech-t1529
status: experimental
description: "Adversaries may shutdown or reboot systems to interrupt access to, or aid in the destruction of, those systems. Shutdown and reboot commands exist across all major operating systems and may be invoked locally or remotely. Adversaries commonly pair T1529 with destructive techniques such as disk wiping (T1561) or inhibiting system recovery (T1490) to force destructive effects to take hold after reboot renders the system unbootable. Windows API functions including ExitWindowsEx, InitiateSystemShutdown, NtRaiseHardError, and ZwRaiseHardError are abused to programmatically force shutdowns or trigger blue screens of death (BSOD). Observed extensively in destructive malware: LockerGoga, Olympic Destroyer, WhisperGate (ExitWindowsEx with EWX_SHUTDOWN), AcidRain, AcidPour, Apostle, DCSrv, MultiLayer Wiper, BFG Agonizer (NtRaiseHardError BSOD), and Qilin ransomware targeting backup servers."
references:
  - https://attack.mitre.org/techniques/T1529/
  - https://df00tech.com/detections/T1529
author: df00tech
date: 2026/04/20
tags:
  - attack.t1529
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "System administrators performing scheduled maintenance reboots via RMM agents (ConnectWise Control, Kaseya VSA, TeamViewer) — these typically spawn from the RMM agent process, not scripting hosts"
  - "Windows Update process initiating reboots after patch installation — typically initiated by TrustedInstaller or svchost.exe with wuauserv service tag, with long /t timeout values"
  - "Configuration management and patch automation platforms (Ansible WinRM, SCCM, Intune) executing shutdown commands as part of deployment or patch cycles — usually from known service accounts at scheduled times"
  - "Hypervisor guest agents (VMware Tools vmtoolsd.exe, VirtualBox additions) performing coordinated shutdown during snapshot or migration operations"
  - "Legitimate helpdesk personnel remotely rebooting endpoints via shutdown /m after troubleshooting sessions — identifiable by the /r flag (reboot, not shutdown) and corresponding helpdesk ticket"
level: high