System Shutdown/Reboot - MacOs
Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.
Sigma rule (View on GitHub)
1title: System Shutdown/Reboot - MacOs
2id: 40b1fbe2-18ea-4ee7-be47-0294285811de
3status: test
4description: Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1529/T1529.md
7author: 'Igor Fits, Mikhail Larin, oscd.community'
8date: 2020-10-19
9modified: 2022-11-26
10tags:
11 - attack.impact
12 - attack.t1529
13logsource:
14 product: macos
15 category: process_creation
16detection:
17 selection:
18 Image|endswith:
19 - '/shutdown'
20 - '/reboot'
21 - '/halt'
22 condition: selection
23falsepositives:
24 - Legitimate administrative activity
25level: informational
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- Cisco Denial of Service
- Silence.EDA Detection
- Suspicious Execution of Shutdown
- Suspicious Execution of Shutdown to Log Out
- System Shutdown/Reboot - Linux