# T1529 - System Shutdown/Reboot
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1529)
Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) (e.g. reload).(Citation: Microsoft Shutdown Oct 2017)(Citation: alert_TA18_106A) They may also include shutdown/reboot of a virtual machine via hypervisor / cloud consoles or command line tools.
Shutting down or rebooting systems may disrupt access to computer resources for legitimate users while also impeding incident response/recovery.
Adversaries may also use Windows API functions, such as `InitializeSystemShutdownExW` or `ExitWindowsEx`, to force a system to shut down or reboot.(Citation: CrowdStrike Blog)(Citation: Unit42 Agrius 2023) Alternatively, the `NtRaiseHardError`or `ZwRaiseHardError` Windows API functions with the `ResponseOption` parameter set to `OptionShutdownSystem` may deliver a “blue screen of death” (BSOD) to a system.(Citation: SonicWall)(Citation: NtRaiseHardError)(Citation: NotMe-BSOD) In order to leverage these API functions, an adversary may need to acquire `SeShutdownPrivilege` (e.g., via [Access Token Manipulation](https://attack.mitre.org/techniques/T1134)).(Citation: Unit42 Agrius 2023)
In some cases, the system may not be able to boot again.
Adversaries may attempt to shutdown/reboot a system after impacting it in other ways, such as [Disk Structure Wipe](https://attack.mitre.org/techniques/T1561/002) or [Inhibit System Recovery](https://attack.mitre.org/techniques/T1490), to hasten the intended effects on system availability.(Citation: Talos Nyetya June 2017)(Citation: Talos Olympic Destroyer 2018)
## Atomic Tests
- [Atomic Test #1 - Shutdown System - Windows](#atomic-test-1---shutdown-system---windows)
- [Atomic Test #2 - Restart System - Windows](#atomic-test-2---restart-system---windows)
- [Atomic Test #3 - Restart System via `shutdown` - FreeBSD/macOS/Linux](#atomic-test-3---restart-system-via-shutdown---freebsdmacoslinux)
- [Atomic Test #4 - Shutdown System via `shutdown` - FreeBSD/macOS/Linux](#atomic-test-4---shutdown-system-via-shutdown---freebsdmacoslinux)
- [Atomic Test #5 - Restart System via `reboot` - FreeBSD/macOS/Linux](#atomic-test-5---restart-system-via-reboot---freebsdmacoslinux)
- [Atomic Test #6 - Shutdown System via `halt` - FreeBSD/Linux](#atomic-test-6---shutdown-system-via-halt---freebsdlinux)
- [Atomic Test #7 - Reboot System via `halt` - FreeBSD](#atomic-test-7---reboot-system-via-halt---freebsd)
- [Atomic Test #8 - Reboot System via `halt` - Linux](#atomic-test-8---reboot-system-via-halt---linux)
- [Atomic Test #9 - Shutdown System via `poweroff` - FreeBSD/Linux](#atomic-test-9---shutdown-system-via-poweroff---freebsdlinux)
- [Atomic Test #10 - Reboot System via `poweroff` - FreeBSD](#atomic-test-10---reboot-system-via-poweroff---freebsd)
- [Atomic Test #11 - Reboot System via `poweroff` - Linux](#atomic-test-11---reboot-system-via-poweroff---linux)
- [Atomic Test #12 - Logoff System - Windows](#atomic-test-12---logoff-system---windows)
- [Atomic Test #13 - ESXi - Terminates VMs using pkill](#atomic-test-13---esxi---terminates-vms-using-pkill)
- [Atomic Test #14 - ESXi - Avoslocker enumerates VMs and forcefully kills VMs](#atomic-test-14---esxi---avoslocker-enumerates-vms-and-forcefully-kills-vms)
- [Atomic Test #15 - ESXi - vim-cmd Used to Power Off VMs](#atomic-test-15---esxi---vim-cmd-used-to-power-off-vms)
- [Atomic Test #16 - Abuse of Linux Magic System Request Key for Reboot](#atomic-test-16---abuse-of-linux-magic-system-request-key-for-reboot)
## Atomic Test #1 - Shutdown System - Windows
This test shuts down a Windows system.
**Supported Platforms:** Windows
**auto_generated_guid:** ad254fa8-45c0-403b-8c77-e00b3d3e7a64
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| timeout | Timeout period before shutdown (seconds) | integer | 1|
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
shutdown /s /t #{timeout}
```
## Atomic Test #2 - Restart System - Windows
This test restarts a Windows system.
**Supported Platforms:** Windows
**auto_generated_guid:** f4648f0d-bf78-483c-bafc-3ec99cd1c302
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| timeout | Timeout period before restart (seconds) | integer | 1|
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
shutdown /r /t #{timeout}
```
## Atomic Test #3 - Restart System via `shutdown` - FreeBSD/macOS/Linux
This test restarts a FreeBSD/macOS/Linux system.
**Supported Platforms:** Linux, macOS
**auto_generated_guid:** 6326dbc4-444b-4c04-88f4-27e94d0327cb
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| timeout | Time to restart (can be minutes or specific time) | string | now|
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
shutdown -r #{timeout}
```
## Atomic Test #4 - Shutdown System via `shutdown` - FreeBSD/macOS/Linux
This test shuts down a FreeBSD/macOS/Linux system using a halt.
**Supported Platforms:** Linux, macOS
**auto_generated_guid:** 4963a81e-a3ad-4f02-adda-812343b351de
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| timeout | Time to shutdown (can be minutes or specific time) | string | now|
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
shutdown -h #{timeout}
```
## Atomic Test #5 - Restart System via `reboot` - FreeBSD/macOS/Linux
This test restarts a FreeBSD/macOS/Linux system via `reboot`.
**Supported Platforms:** Linux, macOS
**auto_generated_guid:** 47d0b042-a918-40ab-8cf9-150ffe919027
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
reboot
```
## Atomic Test #6 - Shutdown System via `halt` - FreeBSD/Linux
This test shuts down a FreeBSD/Linux system using `halt`.
**Supported Platforms:** Linux
**auto_generated_guid:** 918f70ab-e1ef-49ff-bc57-b27021df84dd
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
halt -p
```
## Atomic Test #7 - Reboot System via `halt` - FreeBSD
This test restarts a FreeBSD system using `halt`.
**Supported Platforms:** Linux
**auto_generated_guid:** 7b1cee42-320f-4890-b056-d65c8b884ba5
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
halt -r
```
## Atomic Test #8 - Reboot System via `halt` - Linux
This test restarts a Linux system using `halt`.
**Supported Platforms:** Linux
**auto_generated_guid:** 78f92e14-f1e9-4446-b3e9-f1b921f2459e
#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin)
```bash
halt --reboot
```
## Atomic Test #9 - Shutdown System via `poweroff` - FreeBSD/Linux
This test shuts down a FreeBSD/Linux system using `poweroff`.
**Supported Platforms:** Linux
**auto_generated_guid:** 73a90cd2-48a2-4ac5-8594-2af35fa909fa
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
poweroff
```
## Atomic Test #10 - Reboot System via `poweroff` - FreeBSD
This test restarts a FreeBSD system using `poweroff`.
**Supported Platforms:** Linux
**auto_generated_guid:** 5a282e50-86ff-438d-8cef-8ae01c9e62e1
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
poweroff -r 3
```
## Atomic Test #11 - Reboot System via `poweroff` - Linux
This test restarts a Linux system using `poweroff`.
**Supported Platforms:** Linux
**auto_generated_guid:** 61303105-ff60-427b-999e-efb90b314e41
#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin)
```bash
poweroff --reboot
```
## Atomic Test #12 - Logoff System - Windows
This test performs a Windows system logoff as seen in [dcrat backdoor capabilities](https://www.mandiant.com/resources/analyzing-dark-crystal-rat-backdoor)
**Supported Platforms:** Windows
**auto_generated_guid:** 3d8c25b5-7ff5-4c9d-b21f-85ebd06654a4
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
shutdown /l
```
## Atomic Test #13 - ESXi - Terminates VMs using pkill
In VMWARE ESXi, process names starting with vmx are associated with running VMs. An adversary can use the pkill command to kill all processes with a prefix vmx.
[Reference](https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/)
**Supported Platforms:** Windows
**auto_generated_guid:** 987c9b4d-a637-42db-b1cb-e9e242c3991b
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| vm_host | Specify the host name of the ESXi Server | string | atomic.local|
| vm_user | Specify the privilege user account on ESXi Server | string | root|
| vm_pass | Specify the privilege user password on ESXi Server | string | pass|
| plink_file | Path to plink | path | PathToAtomicsFolder\..\ExternalPayloads\plink.exe|
| cli_script | Path to text with commands | path | PathToAtomicsFolder\T1529\src\esx_pkill.txt|
#### Attack Commands: Run with `command_prompt`!
```cmd
echo "" | "#{plink_file}" "#{vm_host}" -ssh -l "#{vm_user}" -pw "#{vm_pass}" -m "#{cli_script}"
```
#### Dependencies: Run with `powershell`!
##### Description: Check if plink is available.
##### Check Prereq Commands:
```powershell
if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"
```
## Atomic Test #14 - ESXi - Avoslocker enumerates VMs and forcefully kills VMs
Avoslocker malware has inbuilt functionality to enumerate the VM instances and uses the esxcli command to forcefully power off them.
[Reference](https://blogs.vmware.com/security/2022/02/avoslocker-modern-linux-ransomware-threats.html)
**Supported Platforms:** Windows
**auto_generated_guid:** 189f7d6e-9442-4160-9bc3-5e4104d93ece
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| vm_host | Specify the host name of the ESXi Server | string | atomic.local|
| vm_user | Specify the privilege user account on ESXi Server | string | root|
| vm_pass | Specify the privilege user password on ESXi Server | string | pass|
| plink_file | Path to plink | path | PathToAtomicsFolder\..\ExternalPayloads\plink.exe|
| cli_script | Path to text with commands | path | PathToAtomicsFolder\T1529\src\esx_avoslocker_kill_vm.txt|
#### Attack Commands: Run with `command_prompt`!
```cmd
echo "" | "#{plink_file}" "#{vm_host}" -ssh -l "#{vm_user}" -pw "#{vm_pass}" -m "#{cli_script}"
```
#### Dependencies: Run with `powershell`!
##### Description: Check if plink is available.
##### Check Prereq Commands:
```powershell
if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"
```
## Atomic Test #15 - ESXi - vim-cmd Used to Power Off VMs
Adversaries may power off VMs to facilitate the deployment of ransomware payloads.
[Reference](https://lolesxi-project.github.io/LOLESXi/lolesxi/Binaries/vim-cmd/#power%20off%20vm)
**Supported Platforms:** Windows
**auto_generated_guid:** 622cc1a0-45e7-428c-aed7-c96dd605fbe6
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| vm_host | Specify the host name or IP of the ESXi server. | string | atomic.local|
| vm_user | Specify the privilege user account on the ESXi server. | string | root|
| vm_pass | Specify the privileged user's password. | string | password|
| plink_file | Path to Plink | path | PathToAtomicsFolder\..\ExternalPayloads\plink.exe|
#### Attack Commands: Run with `command_prompt`!
```cmd
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "for i in `vim-cmd vmsvc/getallvms | awk 'NR>1 {print $1}'`; do vim-cmd vmsvc/power.off $i & done"
```
#### Dependencies: Run with `powershell`!
##### Description: Check if we have plink
##### Check Prereq Commands:
```powershell
if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"
```
## Atomic Test #16 - Abuse of Linux Magic System Request Key for Reboot
adversaries with root or sufficient privileges to silently manipulate or destabilize a system. By writing to /proc/sysrq-trigger, they can forced to reboot.
**Supported Platforms:** Linux
**auto_generated_guid:** d2a1f4bc-a064-4223-8281-a086dce5423c
#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin)
```bash
echo "b" > /proc/sysrq-trigger
```