Detectionmediumtest

Suspicious Execution of Shutdown to Log Out

Detects the rare use of the command line tool shutdown to logoff a user

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

François HubautCreated Sat Oct 01ec290c06-9b6b-4338-8b6b-095c0f284f10windows

Log Source

WindowsProcess Creation

ProductWindows← raw: windows

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection:
        Image|endswith: '\shutdown.exe'
        CommandLine|contains: '/l'
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

MITRE ATT&CK

Tactics

Techniques

Rule Metadata

Rule ID

ec290c06-9b6b-4338-8b6b-095c0f284f10

Status

test

Level

medium

Type

Detection

Created

Sat Oct 01

Author

Path

rules/windows/process_creation/proc_creation_win_shutdown_logoff.yml

Raw Tags

attack.impactattack.t1529