Techniques
Sample rules
Windows System Shutdown CommandLine
- source: splunk
- technicques:
- T1529
Description
This detection rule is designed to identify the execution of the Windows shutdown command via command line interface. The shutdown command can be utilized by system administrators to properly halt, power off, or reboot a computer. However, in a security context, attackers who have gained unauthorized access to a system may also use this command in an effort to erase tracks, or to cause disruption and denial of service. In some instances, they might execute the shutdown command after installing a backdoor, to force the system to restart, ensuring that changes take effect or evading detection by security tools. Monitoring for the use of the Windows shutdown command, especially in conjunction with other unusual or unauthorized activities, can be an important part of identifying malicious behavior within a network. It is advised that security professionals analyze the context in which the shutdown command is being executed to differentiate between legitimate administrative functions and potentially malicious activity.
Detection logic
| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = shutdown.exe OR Processes.original_file_name = shutdown.exe) Processes.process="*shutdown*" AND Processes.process IN("* /s*", "* -s*") AND Processes.process IN ("* /t*","* -t*","* /f*","* -f*") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_system_shutdown_commandline_filter`
Windows System Reboot CommandLine
- source: splunk
- technicques:
- T1529
Description
The following analytic identifies Windows commandline to reboot a windows host machine. This technique was seen in several APT, RAT like dcrat and other commodity malware to shutdown the machine to add more impact, interrupt access, aid destruction of the system like wiping disk or inhibit system recovery. This TTP is a good pivot to check why application trigger this commandline which is not so common way to reboot a machine. Compare to shutdown and logoff shutdown.exe feature, reboot seen in some automation script like ansible to reboot the machine.
Detection logic
| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = shutdown.exe OR Processes.original_file_name = shutdown.exe) Processes.process="*shutdown*" Processes.process IN ("* /r*", "* -r*") Processes.process IN ("* /t*","* -t*","* /f*","* -f*") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_system_reboot_commandline_filter`