Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) (e.g. reload
).(Citation: Microsoft Shutdown Oct 2017)(Citation: alert_TA18_106A)
Shutting down or rebooting systems may disrupt access to computer resources for legitimate users while also impeding incident response/recovery.
Adversaries may attempt to shutdown/reboot a system after impacting it in other ways, such as [Disk Structure Wipe](https://attack.mitre.org/techniques/T1561/002) or [Inhibit System Recovery](https://attack.mitre.org/techniques/T1490), to hasten the intended effects on system availability.(Citation: Talos Nyetya June 2017)(Citation: Talos Olympic Destroyer 2018)
Atomic Test #3 - Restart System via
- FreeBSD/macOS/Linux1
shutdown
Atomic Test #4 - Shutdown System via
- FreeBSD/macOS/Linux1
shutdown
Atomic Test #5 - Restart System via
- FreeBSD/macOS/Linux1
reboot
Atomic Test #9 - Shutdown System via
- FreeBSD/Linux1
poweroff
Atomic Test #14 - ESXi - Avoslocker enumerates VMs and forcefully kills VMs
This test shuts down a Windows system.
Supported Platforms: Windows
auto_generated_guid: ad254fa8-45c0-403b-8c77-e00b3d3e7a64
| Name | Description | Type | Default Value | |——|————-|——|—————| | timeout | Timeout period before shutdown (seconds) | integer | 1|
1
command_prompt
! Elevation Required (e.g. root or admin)shutdown /s /t #{timeout}
This test restarts a Windows system.
Supported Platforms: Windows
auto_generated_guid: f4648f0d-bf78-483c-bafc-3ec99cd1c302
| Name | Description | Type | Default Value | |——|————-|——|—————| | timeout | Timeout period before restart (seconds) | integer | 1|
1
command_prompt
! Elevation Required (e.g. root or admin)shutdown /r /t #{timeout}
1
shutdown
- FreeBSD/macOS/LinuxThis test restarts a FreeBSD/macOS/Linux system.
Supported Platforms: Linux, macOS
auto_generated_guid: 6326dbc4-444b-4c04-88f4-27e94d0327cb
| Name | Description | Type | Default Value | |——|————-|——|—————| | timeout | Time to restart (can be minutes or specific time) | string | now|
1
sh
! Elevation Required (e.g. root or admin)1
shutdown -r #{timeout}
1
shutdown
- FreeBSD/macOS/LinuxThis test shuts down a FreeBSD/macOS/Linux system using a halt.
Supported Platforms: Linux, macOS
auto_generated_guid: 4963a81e-a3ad-4f02-adda-812343b351de
| Name | Description | Type | Default Value | |——|————-|——|—————| | timeout | Time to shutdown (can be minutes or specific time) | string | now|
1
sh
! Elevation Required (e.g. root or admin)1
shutdown -h #{timeout}
1
reboot
- FreeBSD/macOS/LinuxThis test restarts a FreeBSD/macOS/Linux system via
.1
reboot
Supported Platforms: Linux, macOS
auto_generated_guid: 47d0b042-a918-40ab-8cf9-150ffe919027
1
sh
! Elevation Required (e.g. root or admin)1
reboot
1
halt
- FreeBSD/LinuxThis test shuts down a FreeBSD/Linux system using
.1
halt
Supported Platforms: Linux
auto_generated_guid: 918f70ab-e1ef-49ff-bc57-b27021df84dd
1
sh
! Elevation Required (e.g. root or admin)1
halt -p
1
halt
- FreeBSDThis test restarts a FreeBSD system using
.1
halt
Supported Platforms: Linux
auto_generated_guid: 7b1cee42-320f-4890-b056-d65c8b884ba5
1
sh
! Elevation Required (e.g. root or admin)1
halt -r
1
halt
- LinuxThis test restarts a Linux system using
.1
halt
Supported Platforms: Linux
auto_generated_guid: 78f92e14-f1e9-4446-b3e9-f1b921f2459e
1
bash
! Elevation Required (e.g. root or admin)1
halt --reboot
1
poweroff
- FreeBSD/LinuxThis test shuts down a FreeBSD/Linux system using
.1
poweroff
Supported Platforms: Linux
auto_generated_guid: 73a90cd2-48a2-4ac5-8594-2af35fa909fa
1
sh
! Elevation Required (e.g. root or admin)1
poweroff
1
poweroff
- FreeBSDThis test restarts a FreeBSD system using
.1
poweroff
Supported Platforms: Linux
auto_generated_guid: 5a282e50-86ff-438d-8cef-8ae01c9e62e1
1
sh
! Elevation Required (e.g. root or admin)1
poweroff -r 3
1
poweroff
- LinuxThis test restarts a Linux system using
.1
poweroff
Supported Platforms: Linux
auto_generated_guid: 61303105-ff60-427b-999e-efb90b314e41
1
bash
! Elevation Required (e.g. root or admin)1
poweroff --reboot
This test performs a Windows system logoff as seen in dcrat backdoor capabilities
Supported Platforms: Windows
auto_generated_guid: 3d8c25b5-7ff5-4c9d-b21f-85ebd06654a4
1
command_prompt
! Elevation Required (e.g. root or admin)shutdown /l
In VMWARE ESXi, process names starting with vmx are associated with running VMs. An adversary can use the pkill command to kill all processes with a prefix vmx. Reference
Supported Platforms: Windows
auto_generated_guid: 987c9b4d-a637-42db-b1cb-e9e242c3991b
| Name | Description | Type | Default Value | |——|————-|——|—————| | vm_host | Specify the host name of the ESXi Server | string | atomic.local| | vm_user | Specify the privilege user account on ESXi Server | string | root| | vm_pass | Specify the privilege user password on ESXi Server | string | pass| | plink_file | Path to plink | path | PathToAtomicsFolder\..\ExternalPayloads\plink.exe| | cli_script | Path to text with commands | path | PathToAtomicsFolder\T1529\src\esx_pkill.txt|
1
command_prompt
!echo "" | "#{plink_file}" "#{vm_host}" -ssh -l "#{vm_user}" -pw "#{vm_pass}" -m "#{cli_script}"
1
powershell
!1
if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
1
2
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"
Avoslocker malware has inbuilt functionality to enumerate the VM instances and uses the esxcli command to forcefully power off them. Reference
Supported Platforms: Windows
auto_generated_guid: 189f7d6e-9442-4160-9bc3-5e4104d93ece
| Name | Description | Type | Default Value | |——|————-|——|—————| | vm_host | Specify the host name of the ESXi Server | string | atomic.local| | vm_user | Specify the privilege user account on ESXi Server | string | root| | vm_pass | Specify the privilege user password on ESXi Server | string | pass| | plink_file | Path to plink | path | PathToAtomicsFolder\..\ExternalPayloads\plink.exe| | cli_script | Path to text with commands | path | PathToAtomicsFolder\T1529\src\esx_avoslocker_kill_vm.txt|
1
command_prompt
!echo "" | "#{plink_file}" "#{vm_host}" -ssh -l "#{vm_user}" -pw "#{vm_pass}" -m "#{cli_script}"
1
powershell
!1
if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
1
2
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"