Everyone knows that system shutdown and reboot are ubiquitous system features spanning every platform, practically as common as a keyboard. Shutdown/reboot denies system availability to users, and attackers use this feature to their benefit by denying them the availability of their system during an attack.  This article will detail the system shutdown/reboot attack technique as enumerated in the MITRE ATT&CK matrix. We’ll explore the danger of abuse of system features-based attack techniques, what this attack technique is, real-world examples of this attack technique in action, the problem with mitigation and how to detect this attack. 

What is MITRE ATT&CK?

MITRE is a not-for-profit corporation dedicated to solving problems for a safer world. Beginning as a systems engineering company in 1958, MITRE has added new technical and organization capabilities to its knowledge base — including cybersecurity. To this end, MITRE released the MITRE ATT&CK list as a globally accessible knowledge base of adversary techniques and tactics based upon real-world observations. This information can then be used as the basis for the foundation of the development of threat models and methodologies for cybersecurity product/service community, the private sector and government use. More information on the MITRE ATT&CK matrix can be found here.

What is the system shutdown/reboot attack technique?

System shutdown and reboot is something that everyone who has touched a PC is at least familiar with. Attackers can use this feature to cause interruption to system access or in furtherance of target system destruction.  For the most part, when attackers use this technique, they are not using the shutdown/reboot button located in the Windows Start menu (unless they are remoted into a system unbeknownst to the user) but rather use commands to shutdown/reboot. No matter which method is used, the result is the same — disrupting access to computer-based resources of target system users.  Attackers may incorporate this attack technique after other techniques are used to impact the target system, such as with the inhibit system recovery and disk structure wipe attacks. When system shutdown/reboot is used in this way, it is intended to quicken denial of system availability in order to support these previously used attack techniques — sort of like a supplementary attack technique. The system shutdown/reboot attack technique is useful for adversaries and can be frustrating for legitimate users (to say the least!).

The danger of abuse of system features

Before we discuss the shutdown attack in any detail, we first should discuss what makes it so dangerous.  This attack technique is considered an abuse of system features technique. What this means is that the attacker or malicious hacker is leveraging the inherent features of the compromised system against itself. Unfortunately for compromised user systems, there is no counter-move to system shutdown/reboot because it is about as essential as information input through a keyboard or mouse. 

Real-world examples

Different attack groups and threats have used this attack technique in different ways, all toward the same end — interrupting system availability during the course of an attack.

APT37

This cyber-espionage group is suspected of being North Korea-based and has been around since 2012, with its targets being mainly in Asia. In their “Are you Happy?” campaign, they used a Master Boot Record (MBR) wiping technique followed by the command shutdown /r /t 1 to reboot target systems as the proverbial icing on the cake.

LockerGoga

LockerGoga is ransomware that has been wreaking havoc on industrial and manufacturing organizations in Europe. This relatively new ransomware has been observed shutting down infected systems. Because it targets high-stakes and critical infrastructure, shutdown is even more damaging than for non-critical infrastructure organizations.

NotPetya

Originally categorized as a type of ransomware, it appears that its attackers never planned on making the data it encrypts recoverable, making it more of a wiper malware. First spotted in June of 2017, NotPetya is known to reboot systems one hour after infection.

The problem with mitigation

As mentioned earlier in this article, this attack is an abuse of system features attack. Abuse of system features-based attacks cannot be effectively mitigated because they take advantage of legitimate, necessary features.

Detection of system shutdown/reboot

Unlike mitigation, system shutdown/reboot can be detected by a couple of methods. First, process monitoring should be used to monitor command line parameters involved in this attack technique and execution. Second, Windows event logs are capable of capturing evidence of this attack technique: monitor for Window event IDs 1074 and 6006.

Conclusion

System shutdown/reboot is a ubiquitous system feature of PCs. Attackers can abuse this system feature to shut down or reboot systems during the course of an attack campaign to deny users system access and to help further other attack techniques used against the target system.  This attack technique cannot be readily mitigated, but it can be detected. Monitoring for unexpected shutdowns and reboots that have no logical explanation may lead the way toward uncovering an attack already underway on a system.  

Sources

System Shutdown/Reboot, MITRE Korea in the Crosshairs, Talos Blog  A Guide to LockerGoga, the Ransomware Crippling Industrial Firms, WIRED