System Shutdown/Reboot - Linux

Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.

Sigma rule (View on GitHub)

 1title: System Shutdown/Reboot - Linux
 2id: 4cb57c2f-1f29-41f8-893d-8bed8e1c1d2f
 3status: test
 4description: Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.
 5references:
 6    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1529/T1529.md
 7author: 'Igor Fits, oscd.community'
 8date: 2020-10-15
 9modified: 2022-11-26
10tags:
11    - attack.impact
12    - attack.t1529
13logsource:
14    product: linux
15    service: auditd
16detection:
17    execve:
18        type: 'EXECVE'
19    shutdowncmd:
20        - 'shutdown'
21        - 'reboot'
22        - 'halt'
23        - 'poweroff'
24    init:
25        - 'init'
26        - 'telinit'
27    initselection:
28        - 0
29        - 6
30    condition: execve and (shutdowncmd or (init and initselection))
31falsepositives:
32    - Legitimate administrative activity
33level: informational

References

Related rules

to-top