attack_technique: T1529
display_name: System Shutdown/Reboot
atomic_tests:
- name: Shutdown System - Windows
  auto_generated_guid: ad254fa8-45c0-403b-8c77-e00b3d3e7a64
  description: |
    This test shuts down a Windows system.
  supported_platforms:
  - windows
  input_arguments:
    timeout:
      description: Timeout period before shutdown (seconds)
      type: integer
      default: 1
  executor:
    command: |
      shutdown /s /t #{timeout}
    name: command_prompt
    elevation_required: true
- name: Restart System - Windows
  auto_generated_guid: f4648f0d-bf78-483c-bafc-3ec99cd1c302
  description: |
    This test restarts a Windows system.
  supported_platforms:
  - windows
  input_arguments:
    timeout:
      description: Timeout period before restart (seconds)
      type: integer
      default: 1
  executor:
    command: |
      shutdown /r /t #{timeout}
    name: command_prompt
    elevation_required: true
- name: Restart System via `shutdown` - FreeBSD/macOS/Linux
  auto_generated_guid: 6326dbc4-444b-4c04-88f4-27e94d0327cb
  description: |
    This test restarts a FreeBSD/macOS/Linux system.
  supported_platforms:
  - linux
  - macos
  input_arguments:
    timeout:
      description: Time to restart (can be minutes or specific time)
      type: string
      default: now
  executor:
    command: |
      shutdown -r #{timeout}
    name: sh
    elevation_required: true
- name: Shutdown System via `shutdown` - FreeBSD/macOS/Linux
  auto_generated_guid: 4963a81e-a3ad-4f02-adda-812343b351de
  description: |
    This test shuts down a FreeBSD/macOS/Linux system using a halt.
  supported_platforms:
  - linux
  - macos
  input_arguments:
    timeout:
      description: Time to shutdown (can be minutes or specific time)
      type: string
      default: now
  executor:
    command: |
      shutdown -h #{timeout}
    name: sh
    elevation_required: true
- name: Restart System via `reboot` - FreeBSD/macOS/Linux
  auto_generated_guid: 47d0b042-a918-40ab-8cf9-150ffe919027
  description: |
    This test restarts a FreeBSD/macOS/Linux system via `reboot`.
  supported_platforms:
  - linux
  - macos
  executor:
    command: |
      reboot
    name: sh
    elevation_required: true
- name: Shutdown System via `halt` - FreeBSD/Linux
  auto_generated_guid: 918f70ab-e1ef-49ff-bc57-b27021df84dd
  description: |
    This test shuts down a FreeBSD/Linux system using `halt`.
  supported_platforms:
  - linux
  executor:
    command: |
      halt -p
    name: sh
    elevation_required: true
- name: Reboot System via `halt` - FreeBSD
  auto_generated_guid: 7b1cee42-320f-4890-b056-d65c8b884ba5
  description: |
    This test restarts a FreeBSD system using `halt`.
  supported_platforms:
  - linux
  executor:
    command: |
      halt -r
    name: sh
    elevation_required: true
- name: Reboot System via `halt` - Linux
  auto_generated_guid: 78f92e14-f1e9-4446-b3e9-f1b921f2459e
  description: |
    This test restarts a Linux system using `halt`.
  supported_platforms:
  - linux
  executor:
    command: |
      halt --reboot
    name: bash
    elevation_required: true
- name: Shutdown System via `poweroff` - FreeBSD/Linux
  auto_generated_guid: 73a90cd2-48a2-4ac5-8594-2af35fa909fa
  description: |
    This test shuts down a FreeBSD/Linux system using `poweroff`.
  supported_platforms:
  - linux
  executor:
    command: |
      poweroff
    name: sh
    elevation_required: true
- name: Reboot System via `poweroff` - FreeBSD
  auto_generated_guid: 5a282e50-86ff-438d-8cef-8ae01c9e62e1
  description: |
    This test restarts a FreeBSD system using `poweroff`.
  supported_platforms:
  - linux
  executor:
    command: |
      poweroff -r 3
    name: sh
    elevation_required: true
- name: Reboot System via `poweroff` - Linux
  auto_generated_guid: 61303105-ff60-427b-999e-efb90b314e41
  description: |
    This test restarts a Linux system using `poweroff`.
  supported_platforms:
  - linux
  executor:
    command: |
      poweroff --reboot
    name: bash
    elevation_required: true
- name: Logoff System - Windows
  auto_generated_guid: 3d8c25b5-7ff5-4c9d-b21f-85ebd06654a4
  description: |
    This test performs a Windows system logoff as seen in [dcrat backdoor capabilities](https://www.mandiant.com/resources/analyzing-dark-crystal-rat-backdoor)
  supported_platforms:
  - windows
  executor:
    command: |
      shutdown /l 
    name: command_prompt
    elevation_required: true
- name: ESXi - Terminates VMs using pkill
  auto_generated_guid: 987c9b4d-a637-42db-b1cb-e9e242c3991b
  description: |
    In VMWARE ESXi, process names starting with vmx are associated with running VMs. An adversary can use the pkill command to kill all processes with a prefix vmx.
    [Reference](https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/)
  supported_platforms:
  - windows
  input_arguments:
    vm_host:
      description: Specify the host name of the ESXi Server
      type: string
      default: atomic.local
    vm_user:
      description: Specify the privilege user account on ESXi Server
      type: string
      default: root
    vm_pass:
      description: Specify the privilege user password on ESXi Server
      type: string
      default: pass
    plink_file:
      description: Path to plink
      type: path
      default: 'PathToAtomicsFolder\..\ExternalPayloads\plink.exe'
    cli_script:
      description: Path to text with commands
      type: path
      default: PathToAtomicsFolder\T1529\src\esx_pkill.txt  
  dependency_executor_name: powershell
  dependencies:
  - description: |
      Check if plink is available.
    prereq_command: |
      if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
    get_prereq_command: |
      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
      Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"
  executor:
    command: |
       echo "" | "#{plink_file}" "#{vm_host}" -ssh  -l "#{vm_user}" -pw "#{vm_pass}" -m "#{cli_script}"
    name: command_prompt
    elevation_required: false
- name: ESXi - Avoslocker enumerates VMs and forcefully kills VMs
  auto_generated_guid: 189f7d6e-9442-4160-9bc3-5e4104d93ece
  description: |
    Avoslocker malware has inbuilt functionality to enumerate the VM instances and uses the esxcli command to forcefully power off them.
    [Reference](https://blogs.vmware.com/security/2022/02/avoslocker-modern-linux-ransomware-threats.html)
  supported_platforms:
  - windows
  input_arguments:
    vm_host:
      description: Specify the host name of the ESXi Server
      type: string
      default: atomic.local
    vm_user:
      description: Specify the privilege user account on ESXi Server
      type: string
      default: root
    vm_pass:
      description: Specify the privilege user password on ESXi Server
      type: string
      default: pass
    plink_file:
      description: Path to plink
      type: path
      default: 'PathToAtomicsFolder\..\ExternalPayloads\plink.exe'
    cli_script:
      description: Path to text with commands
      type: path
      default: PathToAtomicsFolder\T1529\src\esx_avoslocker_kill_vm.txt  
  dependency_executor_name: powershell
  dependencies:
  - description: |
      Check if plink is available.
    prereq_command: |
      if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
    get_prereq_command: |
      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
      Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"
  executor:
    command: |
       echo "" | "#{plink_file}" "#{vm_host}" -ssh  -l "#{vm_user}" -pw "#{vm_pass}" -m "#{cli_script}"
    name: command_prompt
    elevation_required: false
- name: ESXi - vim-cmd Used to Power Off VMs
  auto_generated_guid: 622cc1a0-45e7-428c-aed7-c96dd605fbe6
  description: |
    Adversaries may power off VMs to facilitate the deployment of ransomware payloads.
    [Reference](https://lolesxi-project.github.io/LOLESXi/lolesxi/Binaries/vim-cmd/#power%20off%20vm)
  supported_platforms:
  - windows
  input_arguments:
    vm_host:
      description: Specify the host name or IP of the ESXi server.
      type: string
      default: atomic.local
    vm_user:
      description: Specify the privilege user account on the ESXi server.
      type: string
      default: root
    vm_pass:
      description: Specify the privileged user's password.
      type: string
      default: password
    plink_file:
      description: Path to Plink
      type: path
      default: 'PathToAtomicsFolder\..\ExternalPayloads\plink.exe'
  dependency_executor_name: powershell
  dependencies:
  - description: |
      Check if we have plink
    prereq_command: |
      if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
    get_prereq_command: |
      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
      Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"
  executor:
    command: |
      echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "for i in `vim-cmd vmsvc/getallvms | awk 'NR>1 {print $1}'`; do vim-cmd vmsvc/power.off $i & done"
    name: command_prompt
    elevation_required: false
- name: Abuse of Linux Magic System Request Key for Reboot
  auto_generated_guid: d2a1f4bc-a064-4223-8281-a086dce5423c
  description: |
    adversaries with root or sufficient privileges to silently manipulate or destabilize a system. By writing to /proc/sysrq-trigger, they can forced to reboot.
  supported_platforms:
  - linux
  executor:
    command: |
      echo "b" > /proc/sysrq-trigger
    name: bash
    elevation_required: true