Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectioninformationaltest

System Shutdown/Reboot - Linux

Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Igor Fits, oscd.communityCreated Thu Oct 15Updated Sat Nov 264cb57c2f-1f29-41f8-893d-8bed8e1c1d2flinux
Log Source
Linuxauditd
ProductLinux← raw: linux
Serviceauditd← raw: auditd
Detection Logic
Detection Logic4 selectors
detection:
    execve:
        type: 'EXECVE'
    shutdowncmd:
        - 'shutdown'
        - 'reboot'
        - 'halt'
        - 'poweroff'
    init:
        - 'init'
        - 'telinit'
    initselection:
        - 0
        - 6
    condition: execve and (shutdowncmd or (init and initselection))
False Positives

Legitimate administrative activity

References
1
Resolving title…
github.com
MITRE ATT&CK
Rule Metadata
Rule ID
4cb57c2f-1f29-41f8-893d-8bed8e1c1d2f
Status
test
Level
informational
Type
Detection
Created
Thu Oct 15
Modified
Sat Nov 26
Author
Igor Fits, oscd.community
Path
rules/linux/auditd/execve/lnx_auditd_system_shutdown_reboot.yml
Raw Tags
attack.impactattack.t1529
View on GitHub