Try it using Invoke-Atomic

System Shutdown/Reboot

Description from ATT&CK

Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device.(Citation: Microsoft Shutdown Oct 2017)(Citation: alert_TA18_106A) Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.

Adversaries may attempt to shutdown/reboot a system after impacting it in other ways, such as Disk Structure Wipe or Inhibit System Recovery, to hasten the intended effects on system availability.(Citation: Talos Nyetya June 2017)(Citation: Talos Olympic Destroyer 2018)

Atomic Tests

Atomic Test #1 - Shutdown System - Windows

This test shuts down a Windows system.

Supported Platforms: windows

auto_generated_guid: ad254fa8-45c0-403b-8c77-e00b3d3e7a64

Inputs:

Name Description Type Default Value
timeout Timeout period before shutdown (seconds) Integer 1

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

1
2
shutdown /s /t #{timeout}

Atomic Test #2 - Restart System - Windows

This test restarts a Windows system.

Supported Platforms: windows

auto_generated_guid: f4648f0d-bf78-483c-bafc-3ec99cd1c302

Inputs:

Name Description Type Default Value
timeout Timeout period before restart (seconds) Integer 1

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

1
2
shutdown /r /t #{timeout}

Atomic Test #3 - Restart System via
1
shutdown
- macOS/Linux

This test restarts a macOS/Linux system.

Supported Platforms: macos,linux

auto_generated_guid: 6326dbc4-444b-4c04-88f4-27e94d0327cb

Inputs:

Name Description Type Default Value
timeout Time to restart (can be minutes or specific time) String now

Attack Commands: Run with bash! Elevation Required (e.g. root or admin)

1
2
shutdown -r #{timeout}

Atomic Test #4 - Shutdown System via
1
shutdown
- macOS/Linux

This test shuts down a macOS/Linux system using a halt.

Supported Platforms: macos,linux

auto_generated_guid: 4963a81e-a3ad-4f02-adda-812343b351de

Inputs:

Name Description Type Default Value
timeout Time to shutdown (can be minutes or specific time) String now

Attack Commands: Run with bash! Elevation Required (e.g. root or admin)

1
2
shutdown -h #{timeout}

Atomic Test #5 - Restart System via
1
reboot
- macOS/Linux

This test restarts a macOS/Linux system via

1
reboot
.

Supported Platforms: macos,linux

auto_generated_guid: 47d0b042-a918-40ab-8cf9-150ffe919027

Inputs:

None

Attack Commands: Run with bash! Elevation Required (e.g. root or admin)

1
2
reboot

Atomic Test #6 - Shutdown System via
1
halt
- Linux

This test shuts down a Linux system using

1
halt
.

Supported Platforms: linux

auto_generated_guid: 918f70ab-e1ef-49ff-bc57-b27021df84dd

Inputs:

None

Attack Commands: Run with bash! Elevation Required (e.g. root or admin)

1
2
halt -p

Atomic Test #7 - Reboot System via
1
halt
- Linux

This test restarts a Linux system using

1
halt
.

Supported Platforms: linux

auto_generated_guid: 78f92e14-f1e9-4446-b3e9-f1b921f2459e

Inputs:

None

Attack Commands: Run with bash! Elevation Required (e.g. root or admin)

1
2
halt --reboot

Atomic Test #8 - Shutdown System via
1
poweroff
- Linux

This test shuts down a Linux system using

1
poweroff
.

Supported Platforms: linux

auto_generated_guid: 73a90cd2-48a2-4ac5-8594-2af35fa909fa

Inputs:

None

Attack Commands: Run with bash! Elevation Required (e.g. root or admin)

1
2
poweroff

Atomic Test #9 - Reboot System via
1
poweroff
- Linux

This test restarts a Linux system using

1
poweroff
.

Supported Platforms: linux

auto_generated_guid: 61303105-ff60-427b-999e-efb90b314e41

Inputs:

None

Attack Commands: Run with bash! Elevation Required (e.g. root or admin)

1
2
poweroff --reboot

Atomic Test #10 - Logoff System - Windows

This test performs a Windows system logoff as seen in dcrat backdoor capabilities

Supported Platforms: windows

auto_generated_guid: 3d8c25b5-7ff5-4c9d-b21f-85ebd06654a4

Inputs:

None

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

1
2
shutdown /l 

source