System Shutdown/Reboot - MacOs

 1title: System Shutdown/Reboot - MacOs
 2id: 40b1fbe2-18ea-4ee7-be47-0294285811de
 3status: test
 4description: Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.
 5references:
 6    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1529/T1529.md
 7author: 'Igor Fits, Mikhail Larin, oscd.community'
 8date: 2020/10/19
 9modified: 2022/11/26
10tags:
11    - attack.impact
12    - attack.t1529
13logsource:
14    product: macos
15    category: process_creation
16detection:
17    selection:
18        Image|endswith:
19            - '/shutdown'
20            - '/reboot'
21            - '/halt'
22    condition: selection
23falsepositives:
24    - Legitimate administrative activity
25level: informational

References

• atomic-red-team/atomics/T1529/T1529.md at f339e7da7d05f6057fdfcdd3742bfcf365fee2a9 · redcanaryco/atomic-red-team

  

  Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team

  
  Read More

Related rules

• System Shutdown/Reboot - Linux
• Boot Configuration Database (BCD) Manipulation - Registry Modification
• Use of bcdedit to Disrupt Boot Processes
• WMIC Shadow Copy Deletion
• Secure Deletion with SDelete