Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Technique System Shutdown/Reboot
Сертификаты СЗИ
CVE уязвимости
БДУ ФСТЭК уязвимости
НКЦКИ уязвимости
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
RU
Риски
Каталоги
MITRE ATT&CK
Техника
System Shutdown/Reboot
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

System Shutdown/Reboot

Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. reload).(Citation: Microsoft Shutdown Oct 2017)(Citation: alert_TA18_106A) They may also include shutdown/reboot of a virtual machine via hypervisor / cloud consoles or command line tools. Shutting down or rebooting systems may disrupt access to computer resources for legitimate users while also impeding incident response/recovery. Adversaries may attempt to shutdown/reboot a system after impacting it in other ways, such as Disk Structure Wipe or Inhibit System Recovery, to hasten the intended effects on system availability.(Citation: Talos Nyetya June 2017)(Citation: Talos Olympic Destroyer 2018)

ID: T1529
Tactic(s): Impact
Platforms: ESXi, Linux, macOS, Network Devices, Windows
Data Sources: Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Impact Type: Availability
Version: 1.4
Created: 04 Oct 2019
Last Modified: 15 Apr 2025

Procedure Examples
Name Description
AcidRain

AcidRain reboots the target system once the various wiping processes are complete.(Citation: AcidRain JAGS 2022)
DCSrv

DCSrv has a function to sleep for two hours before rebooting the system.(Citation: Checkpoint MosesStaff Nov 2021)
BFG Agonizer

BFG Agonizer uses elevated privileges to call NtRaiseHardError to induce a "blue screen of death" on infected systems, causing a system crash. Once shut down, the system is no longer bootable.(Citation: Unit42 Agrius 2023)
MultiLayer Wiper

MultiLayer Wiper reboots the infected system following wiping and related tasks to prevent system recovery.(Citation: Unit42 Agrius 2023)
AcidPour

AcidPour includes functionality to reboot the victim system following wiping actions, similar to AcidRain.(Citation: SentinelOne AcidPour 2024)
LockerGoga

LockerGoga has been observed shutting down infected systems.(Citation: Wired Lockergoga 2019)
DustySky

DustySky can shutdown the infected machine.(Citation: Kaspersky MoleRATs April 2019)
Olympic Destroyer

Olympic Destroyer will shut down the compromised system after it is done modifying system configuration settings.(Citation: Talos Olympic Destroyer 2018)(Citation: US District Court Indictment GRU Unit 74455 October 2020)
APT38

APT38 has used a custom MBR wiper named BOOTWRECK, which will initiate a system reboot after wiping the victim's MBR.(Citation: FireEye APT38 Oct 2018)
Maze

Maze has issued a shutdown command on a victim machine that, upon reboot, will run the ransomware within a VM.(Citation: Sophos Maze VM September 2020)
APT37

APT37 has used malware that will issue the command shutdown /r /t 1 to reboot a system after wiping its MBR.(Citation: Talos Group123)
LookBack

LookBack can shutdown and reboot the victim machine.(Citation: Proofpoint LookBack Malware Aug 2019)
Apostle

Apostle reboots the victim machine following wiping and related activity.(Citation: SentinelOne Agrius 2021)
WhisperGate

WhisperGate can shutdown a compromised host through execution of `ExitWindowsEx` with the `EXW_SHUTDOWN` flag.(Citation: Cisco Ukraine Wipers January 2022)
KillDisk

KillDisk attempts to reboot the machine by terminating specific processes.(Citation: Trend Micro KillDisk 2)
XLoader

XLoader can initiate a system reboot or shutdown.(Citation: Google XLoader 2017)
ShrinkLocker

ShrinkLocker can restart the victim system if it encounters an error during execution, and will forcibly shutdown the system following encryption to lock out victim users.(Citation: Kaspersky ShrinkLocker 2024)
NotPetya

NotPetya will reboot the system one hour after infection.(Citation: Talos Nyetya June 2017)(Citation: US District Court Indictment GRU Unit 74455 October 2020)
Latrodectus

Latrodectus has the ability to restart compromised hosts.(Citation: Elastic Latrodectus May 2024)
CHIMNEYSWEEP

CHIMNEYSWEEP can reboot or shutdown the targeted system or logoff the current user.(Citation: Mandiant ROADSWEEP August 2022)
Lazarus Group

Lazarus Group has rebooted systems after destroying files and wiping the MBR on infected systems.(Citation: US-CERT SHARPKNOT June 2018)
Shamoon

Shamoon will reboot the infected system once the wiping functionality has been completed.(Citation: Unit 42 Shamoon3 2018)(Citation: McAfee Shamoon December 2018)

DarkGate

DarkGate has used the `shutdown`command to shut down and/or restart the victim system.(Citation: Rapid7 BlackBasta 2024)

Black Basta

Black Basta has used `ShellExecuteA` to shut down and restart the victim system.(Citation: Trend Micro Black Basta May 2022)

HermeticWiper

HermeticWiper can initiate a system shutdown.(Citation: SentinelOne Hermetic Wiper February 2022)(Citation: Qualys Hermetic Wiper March 2022)
AvosLocker

AvosLocker’s Linux variant has terminated ESXi virtual machines.(Citation: Trend Micro AvosLocker Apr 2022)

Detection

Use process monitoring to monitor the execution and command line parameters of binaries involved in shutting down or rebooting systems. Windows event logs may also designate activity associated with a shutdown/reboot, ex. Event ID 1074 and 6006. Unexpected or unauthorized commands from network cli on network devices may also be associated with shutdown/reboot, e.g. the reload command.

References

  1. GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020.
  2. Microsoft. (2017, October 15). Shutdown. Retrieved October 4, 2019.
  3. Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer Takes Aim At Winter Olympics. Retrieved March 14, 2019.
  4. CISA. (2018, April 20). Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved February 14, 2022.
  5. Chiu, A. (2016, June 27). New Ransomware Variant "Nyetya" Compromises Systems Worldwide. Retrieved March 26, 2019.
  6. Juan Andres Guerrero-Saade and Max van Amerongen, SentinelOne. (2022, March 31). AcidRain | A Modem Wiper Rains Down on Europe. Retrieved March 25, 2024.
  7. Checkpoint Research. (2021, November 15). Uncovering MosesStaff techniques: Ideology over Money. Retrieved August 11, 2022.
  8. Or Chechik, Tom Fakterman, Daniel Frank & Assaf Dahan. (2023, November 6). Agonizing Serpens (Aka Agrius) Targeting the Israeli Higher Education and Tech Sectors. Retrieved May 22, 2024.
  9. Juan Andrés Guerrero-Saade & Tom Hegel. (2024, March 21). AcidPour | New Embedded Wiper Variant of AcidRain Appears in Ukraine. Retrieved November 25, 2024.
  10. Greenberg, A. (2019, March 25). A Guide to LockerGoga, the Ransomware Crippling Industrial Firms. Retrieved July 17, 2019.
  11. Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020.
  12. FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 17, 2024.
  13. Brandt, A., Mackenzie, P.. (2020, September 17). Maze Attackers Adopt Ragnar Locker Virtual Machine Technique. Retrieved October 9, 2020.
  14. Mercer, W., Rascagneres, P. (2018, January 16). Korea In The Crosshairs. Retrieved May 21, 2018.
  15. Raggi, M. Schwarz, D.. (2019, August 1). LookBack Malware Targets the United States Utilities Sector with Phishing Attacks Impersonating Engineering Licensing Boards. Retrieved February 25, 2021.
  16. Amitai Ben & Shushan Ehrlich. (2021, May). From Wiper to Ransomware: The Evolution of Agrius. Retrieved May 21, 2024.
  17. Biasini, N. et al.. (2022, January 21). Ukraine Campaign Delivers Defacement and Wipers, in Continued Escalation. Retrieved March 14, 2022.
  18. Gilbert Sison, Rheniel Ramos, Jay Yaneza, Alfredo Oliveira. (2018, January 15). KillDisk Variant Hits Latin American Financial Groups. Retrieved January 12, 2021.
  19. Nart Villeneuve, Randi Eitzman, Sandor Nemes & Tyler Dean, Google Cloud. (2017, October 5). Significant FormBook Distribution Campaigns Impacting the U.S. and South Korea. Retrieved March 11, 2025.
  20. Cristian Souza, Eduardo Ovalle, Ashley Muñoz, & Christopher Zachor. (2024, May 23). ShrinkLocker: Turning BitLocker into ransomware. Retrieved December 7, 2024.
  21. Stepanic, D. and Bousseaden, S. (2024, May 15). Spring Cleaning with LATRODECTUS: A Potential Replacement for ICEDID. Retrieved September 13, 2024.
  22. Jenkins, L. at al. (2022, August 4). ROADSWEEP Ransomware - Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations. Retrieved August 6, 2024.
  23. Michael Dawson. (2021, August 30). Hypervisor Jackpotting, Part 2: eCrime Actors Increase Targeting of ESXi Servers with Ransomware. Retrieved March 26, 2025.
  24. Elastic. (n.d.). Suspicious Termination of ESXI Process. Retrieved March 27, 2025.
  25. Cj Arsley Mateo, Darrel Tristan Virtusio, Sarah Pearl Camiling, Andrei Alimboyao, Nathaniel Morales, Jacob Santos, Earl John Bareng. (2024, July 19). Play Ransomware Group’s New Linux Variant Targets ESXi, Shows Ties With Prolific Puma. Retrieved March 26, 2025.
  26. US-CERT. (2018, March 09). Malware Analysis Report (MAR) - 10135536.11.WHITE. Retrieved June 13, 2018.
  27. Mundo, A., Roccia, T., Saavedra-Morales, J., Beek, C.. (2018, December 14). Shamoon Returns to Wipe Systems in Middle East, Europe . Retrieved May 29, 2020.
  28. Falcone, R. (2018, December 13). Shamoon 3 Targets Oil and Gas Organization. Retrieved March 14, 2019.
  29. McGraw, T. (2024, December 4). Black Basta Ransomware Campaign Drops Zbot, DarkGate, and Custom Malware. Retrieved December 9, 2024.
  30. Gonzalez, I., Chavez I., et al. (2022, May 9). Examining the Black Basta Ransomware’s Infection Routine. Retrieved March 7, 2023.
  31. Dani, M. (2022, March 1). Ukrainian Targets Hit by HermeticWiper, New Datawiper Malware. Retrieved March 25, 2022.
  32. Guerrero-Saade, J. (2022, February 23). HermeticWiper | New Destructive Malware Used In Cyber Attacks on Ukraine. Retrieved March 25, 2022.
  33. Trend Micro Research. (2022, April 4). Ransomware Spotlight AvosLocker. Retrieved January 11, 2023.
Навигация

Каталоги

БДУ ФСТЭК:
УБИ.113 Угроза перезагрузки аппаратных и программно-аппаратных средств вычислительной техники
Угроза заключается в возможности сброса пользователем (нарушителем) состояния оперативной памяти (обнуления памяти) путём случай...

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.