1. Home
  2. Techniques
  3. Enterprise
  4. 系统关机/重启

系统关机/重启

ID Name
T1529.001 伪造系统维护进程关机
T1529.002 硬件级断电伪装

系统关机/重启技术是指攻击者通过执行操作系统或硬件级指令强制中断目标系统运行状态,通常用于阻碍应急响应、放大破坏效果或掩盖攻击痕迹。传统防御手段依赖进程监控(如检测shutdown.exe调用链)、日志分析(Windows事件ID 1074/6006)和网络设备CLI审计(如记录reload命令执行)。通过建立系统操作白名单机制和硬件管理接口的异常行为基线,可有效识别未授权关机行为。

为规避传统检测机制,攻击者发展出融合多层级操作隐匿、硬件协议滥用及痕迹链消除的新型关机/重启技术。这些技术突破操作系统审计边界,将恶意操作下沉至硬件控制平面或融合到合法管理协议中,形成跨层、跨协议的隐蔽攻击范式。

当前关机/重启匿迹技术的共性在于攻击平面的垂直穿透与操作痕迹的全链消除。攻击者通过纵向跨越软件-硬件界限(如伪造系统维护进程关机与硬件级断电伪装),将操作指令传递路径延伸至传统安全监控的盲区,构建"执行-痕迹"的负反馈机制:伪造系统维护进程关机技术着重于操作发起端的身份伪装,硬件级断电伪装技术专注于物理层的痕迹不可逆消除。共同形成覆盖操作全生命周期的匿迹闭环,使得关机/重启行为在系统日志、网络流量、硬件审计等多个维度均呈现合法或不可追溯特征。

匿迹技术的演进导致传统基于操作审计日志的检测体系面临根本性挑战,防御方需构建硬件-软件联合监控体系,实施固件完整性校验、电源状态异常模式识别,并强化远程管理协议的双向认证机制,以应对跨层隐蔽关机攻击的威胁。

ID: T1529
Sub-techniques:  T1529.001, T1529.002
Tactic: 影响释放
Platforms: Linux, Network, Windows, macOS
Impact Type: Availability
Contributors: Austin Clark, @c2defense; Hubert Mank
Version: 1.3
Created: 04 October 2019
Last Modified: 22 March 2023

匿迹效应

效应类型 是否存在
特征伪装
行为透明
数据遮蔽
时空释痕

特征伪装

攻击者通过精确模仿合法系统维护操作的特征参数(如进程调用链、日志事件格式、协议交互序列),将恶意关机指令伪装成合规管理行为。例如在伪造系统维护进程关机中,攻击者完全复现Windows系统更新的shutdown命令参数格式和事件日志结构,使得操作在表面特征维度与合法行为无法区分。

行为透明

系统关机和重启本身是日常管理中常见的操作,攻击者通过合法命令行工具执行关机或重启,使其操作表现为正常的系统管理活动,不容易引发安全警报,技术本身具有一定的行为透明匿迹效应。通过间接执行关机/重启命令,攻击者能够提高活动的隐蔽性,进一步增强攻击行为的透明性。

Procedure Examples

ID Name Description
S1125 AcidRain

AcidRain reboots the target system once the various wiping processes are complete.[1]
S1133 Apostle

Apostle reboots the victim machine following wiping and related activity.[2]
G0067 APT37

APT37 has used malware that will issue the command shutdown /r /t 1 to reboot a system after wiping its MBR.[3]
G0082 APT38

APT38 has used a custom MBR wiper named BOOTWRECK, which will initiate a system reboot after wiping the victim's MBR.[4]
S1053 AvosLocker

AvosLocker’s Linux variant has terminated ESXi virtual machines.[5]
S1136 BFG Agonizer

BFG Agonizer uses elevated privileges to call NtRaiseHardError to induce a "blue screen of death" on infected systems, causing a system crash. Once shut down, the system is no longer bootable.[6]
S1149 CHIMNEYSWEEP

CHIMNEYSWEEP can reboot or shutdown the targeted system or logoff the current user.[7]
S1033 DCSrv

DCSrv has a function to sleep for two hours before rebooting the system.[8]
S0697 HermeticWiper

HermeticWiper can initiate a system shutdown.[9][10]
S0607 KillDisk

KillDisk attempts to reboot the machine by terminating specific processes.[11]
S1160 Latrodectus

Latrodectus has the ability to restart compromised hosts.[12]
G0032 Lazarus Group

Lazarus Group has rebooted systems after destroying files and wiping the MBR on infected systems.[13]
S0372 LockerGoga

LockerGoga has been observed shutting down infected systems.[14]
S0582 LookBack

LookBack can shutdown and reboot the victim machine.[15]
S0449 Maze

Maze has issued a shutdown command on a victim machine that, upon reboot, will run the ransomware within a VM.[16]
S1135 MultiLayer Wiper

MultiLayer Wiper reboots the infected system following wiping and related tasks to prevent system recovery.[6]
S0368 NotPetya

NotPetya will reboot the system one hour after infection.[17][18]
S0365 Olympic Destroyer

Olympic Destroyer will shut down the compromised system after it is done modifying system configuration settings.[19][18]
S0140 Shamoon

Shamoon will reboot the infected system once the wiping functionality has been completed.[20][21]

S0689 WhisperGate

WhisperGate can shutdown a compromised host through execution of ExitWindowsEx with the EXW_SHUTDOWN flag.[22]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

ID Data Source Data Component Detects
DS0017 Command Command Execution

Monitor executed commands and arguments of binaries involved in shutting down or rebooting systems. For network devices, monitor executed commands in AAA logs, especially those run by unexpected or unauthorized users.
DS0009 Process Process Creation

Monitor for newly executed processes of binaries involved in shutting down or rebooting systems.
DS0013 Sensor Health Host Status

Monitor for logging, messaging, and other artifacts highlighting the health of host sensors (ex: metrics, errors, and/or exceptions from logging applications) that may suggest the shutting down or rebooting of the system. Windows event logs may also designate activity associated with a shutdown/reboot, ex. Event ID 1074 and 6006.

References

  1. Juan Andres Guerrero-Saade and Max van Amerongen, SentinelOne. (2022, March 31). AcidRain | A Modem Wiper Rains Down on Europe. Retrieved March 25, 2024.
  2. Amitai Ben & Shushan Ehrlich. (2021, May). From Wiper to Ransomware: The Evolution of Agrius. Retrieved May 21, 2024.
  3. Mercer, W., Rascagneres, P. (2018, January 16). Korea In The Crosshairs. Retrieved May 21, 2018.
  4. FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 6, 2018.
  5. Trend Micro Research. (2022, April 4). Ransomware Spotlight AvosLocker. Retrieved January 11, 2023.
  6. Or Chechik, Tom Fakterman, Daniel Frank & Assaf Dahan. (2023, November 6). Agonizing Serpens (Aka Agrius) Targeting the Israeli Higher Education and Tech Sectors. Retrieved May 22, 2024.
  7. Jenkins, L. at al. (2022, August 4). ROADSWEEP Ransomware - Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations. Retrieved August 6, 2024.
  8. Checkpoint Research. (2021, November 15). Uncovering MosesStaff techniques: Ideology over Money. Retrieved August 11, 2022.
  9. Guerrero-Saade, J. (2022, February 23). HermeticWiper | New Destructive Malware Used In Cyber Attacks on Ukraine. Retrieved March 25, 2022.
  10. Dani, M. (2022, March 1). Ukrainian Targets Hit by HermeticWiper, New Datawiper Malware. Retrieved March 25, 2022.
  11. Gilbert Sison, Rheniel Ramos, Jay Yaneza, Alfredo Oliveira. (2018, January 15). KillDisk Variant Hits Latin American Financial Groups. Retrieved January 12, 2021.
  1. Stepanic, D. and Bousseaden, S. (2024, May 15). Spring Cleaning with LATRODECTUS: A Potential Replacement for ICEDID. Retrieved September 13, 2024.
  2. US-CERT. (2018, March 09). Malware Analysis Report (MAR) - 10135536.11.WHITE. Retrieved June 13, 2018.
  3. Greenberg, A. (2019, March 25). A Guide to LockerGoga, the Ransomware Crippling Industrial Firms. Retrieved July 17, 2019.
  4. Raggi, M. Schwarz, D.. (2019, August 1). LookBack Malware Targets the United States Utilities Sector with Phishing Attacks Impersonating Engineering Licensing Boards. Retrieved February 25, 2021.
  5. Brandt, A., Mackenzie, P.. (2020, September 17). Maze Attackers Adopt Ragnar Locker Virtual Machine Technique. Retrieved October 9, 2020.
  6. Chiu, A. (2016, June 27). New Ransomware Variant "Nyetya" Compromises Systems Worldwide. Retrieved March 26, 2019.
  7. Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020.
  8. Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer Takes Aim At Winter Olympics. Retrieved March 14, 2019.
  9. Falcone, R. (2018, December 13). Shamoon 3 Targets Oil and Gas Organization. Retrieved March 14, 2019.
  10. Mundo, A., Roccia, T., Saavedra-Morales, J., Beek, C.. (2018, December 14). Shamoon Returns to Wipe Systems in Middle East, Europe . Retrieved May 29, 2020.
  11. Biasini, N. et al.. (2022, January 21). Ukraine Campaign Delivers Defacement and Wipers, in Continued Escalation. Retrieved March 14, 2022.