- Home
- Techniques
- Enterprise
- System Shutdown/Reboot
System Shutdown/Reboot
Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.[1] Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Adversaries may attempt to shutdown/reboot a system after impacting it in other ways, such as Disk Structure Wipe or Inhibit System Recovery, to hasten the intended effects on system availability.[2][3]
Procedure Examples
Name | Description |
---|---|
APT37 |
APT37 has used malware that will issue the command |
APT38 |
APT38 has used a custom MBR wiper named BOOTWRECK, which will initiate a system reboot after wiping the victim's MBR.[5] |
DustySky | |
Lazarus Group |
Lazarus Group has rebooted systems after destroying files and wiping the MBR on infected systems.[7] |
LockerGoga |
LockerGoga has been observed shutting down infected systems.[8] |
Maze |
Maze has issued a shutdown command on a victim machine that, upon reboot, will run the ransomware within a VM.[9] |
NotPetya |
NotPetya will reboot the system one hour after infection.[2] |
Olympic Destroyer |
Olympic Destroyer will shut down the compromised system after it is done modifying system configuration settings.[3] |
Shamoon |
Shamoon will reboot the infected system once the wiping functionality has been completed.[10][11] |
Mitigations
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
Detection
Use process monitoring to monitor the execution and command line parameters of binaries involved in shutting down or rebooting systems. Windows event logs may also designate activity associated with a shutdown/reboot, ex. Event ID 1074 and 6006.
References
- Microsoft. (2017, October 15). Shutdown. Retrieved October 4, 2019.
- Chiu, A. (2016, June 27). New Ransomware Variant "Nyetya" Compromises Systems Worldwide. Retrieved March 26, 2019.
- Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer Takes Aim At Winter Olympics. Retrieved March 14, 2019.
- Mercer, W., Rascagneres, P. (2018, January 16). Korea In The Crosshairs. Retrieved May 21, 2018.
- FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 6, 2018.
- GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020.
- US-CERT. (2018, March 09). Malware Analysis Report (MAR) - 10135536.11.WHITE. Retrieved June 13, 2018.
- Greenberg, A. (2019, March 25). A Guide to LockerGoga, the Ransomware Crippling Industrial Firms. Retrieved July 17, 2019.
- Brandt, A., Mackenzie, P.. (2020, September 17). Maze Attackers Adopt Ragnar Locker Virtual Machine Technique. Retrieved October 9, 2020.
- Falcone, R. (2018, December 13). Shamoon 3 Targets Oil and Gas Organization. Retrieved March 14, 2019.
- Mundo, A., Roccia, T., Saavedra-Morales, J., Beek, C.. (2018, December 14). Shamoon Returns to Wipe Systems in Middle East, Europe . Retrieved May 29, 2020.