Description
Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. reload).(Citation: Microsoft Shutdown Oct 2017)(Citation: alert_TA18_106A) They may also include shutdown/reboot of a virtual machine via hypervisor / cloud consoles or command line tools.
Shutting down or rebooting systems may disrupt access to computer resources for legitimate users while also impeding incident response/recovery.
Adversaries may also use Windows API functions, such as InitializeSystemShutdownExW or ExitWindowsEx, to force a system to shut down or reboot.(Citation: CrowdStrike Blog)(Citation: Unit42 Agrius 2023) Alternatively, the NtRaiseHardErroror ZwRaiseHardError Windows API functions with the ResponseOption parameter set to OptionShutdownSystem may deliver a “blue screen of death” (BSOD) to a system.(Citation: SonicWall)(Citation: NtRaiseHardError)(Citation: NotMe-BSOD) In order to leverage these API functions, an adversary may need to acquire SeShutdownPrivilege (e.g., via Access Token Manipulation).(Citation: Unit42 Agrius 2023)
In some cases, the system may not be able to boot again.
Adversaries may attempt to shutdown/reboot a system after impacting it in other ways, such as Disk Structure Wipe or Inhibit System Recovery, to hasten the intended effects on system availability.(Citation: Talos Nyetya June 2017)(Citation: Talos Olympic Destroyer 2018)
Platforms
Threat Groups (4)
| ID | Group | Context |
|---|---|---|
| G0082 | APT38 | [APT38](https://attack.mitre.org/groups/G0082) has used a custom MBR wiper named BOOTWRECK, which will initiate a system reboot after wiping the victi... |
| G0067 | APT37 | [APT37](https://attack.mitre.org/groups/G0067) has used malware that will issue the command <code>shutdown /r /t 1</code> to reboot a system after wip... |
| G0032 | Lazarus Group | [Lazarus Group](https://attack.mitre.org/groups/G0032) has rebooted systems after destroying files and wiping the MBR on infected systems.(Citation: U... |
| G1051 | Medusa Group | [Medusa Group](https://attack.mitre.org/groups/G1051) has manually turned off and encrypted virtual machines.(Citation: CISA Medusa Group Medusa Ranso... |
Associated Software (25)
| ID | Name | Type | Context |
|---|---|---|---|
| S1125 | AcidRain | Malware | [AcidRain](https://attack.mitre.org/software/S1125) reboots the target system once the various wiping processes are complete.(Citation: AcidRain JAGS ... |
| S1033 | DCSrv | Malware | [DCSrv](https://attack.mitre.org/software/S1033) has a function to sleep for two hours before rebooting the system.(Citation: Checkpoint MosesStaff No... |
| S9038 | DynoWiper | Malware | [DynoWiper](https://attack.mitre.org/software/S9038) has used the Microsoft Windows native `ExitWindowsEx()` function to log off the interactive user ... |
| S1136 | BFG Agonizer | Malware | [BFG Agonizer](https://attack.mitre.org/software/S1136) uses elevated privileges to call <code>NtRaiseHardError</code> to induce a "blue screen of dea... |
| S1242 | Qilin | Malware | [Qilin](https://attack.mitre.org/software/S1242) can initiate a reboot of the backup server to hinder recovery.(Citation: Picus Qilin MAR 2025) |
| S1135 | MultiLayer Wiper | Malware | [MultiLayer Wiper](https://attack.mitre.org/software/S1135) reboots the infected system following wiping and related tasks to prevent system recovery.... |
| S1167 | AcidPour | Malware | [AcidPour](https://attack.mitre.org/software/S1167) includes functionality to reboot the victim system following wiping actions, similar to [AcidRain]... |
| S0372 | LockerGoga | Malware | [LockerGoga](https://attack.mitre.org/software/S0372) has been observed shutting down infected systems.(Citation: Wired Lockergoga 2019) |
| S0365 | Olympic Destroyer | Malware | [Olympic Destroyer](https://attack.mitre.org/software/S0365) will shut down the compromised system after it is done modifying system configuration set... |
| S0449 | Maze | Malware | [Maze](https://attack.mitre.org/software/S0449) has issued a shutdown command on a victim machine that, upon reboot, will run the ransomware within a ... |
| S0582 | LookBack | Malware | [LookBack](https://attack.mitre.org/software/S0582) can shutdown and reboot the victim machine.(Citation: Proofpoint LookBack Malware Aug 2019) |
| S1133 | Apostle | Malware | [Apostle](https://attack.mitre.org/software/S1133) reboots the victim machine following wiping and related activity.(Citation: SentinelOne Agrius 2021... |
| S0689 | WhisperGate | Malware | [WhisperGate](https://attack.mitre.org/software/S0689) can shutdown a compromised host through execution of `ExitWindowsEx` with the `EXW_SHUTDOWN` fl... |
| S0607 | KillDisk | Malware | [KillDisk](https://attack.mitre.org/software/S0607) attempts to reboot the machine by terminating specific processes.(Citation: Trend Micro KillDisk 2... |
| S1207 | XLoader | Malware | [XLoader](https://attack.mitre.org/software/S1207) can initiate a system reboot or shutdown.(Citation: Google XLoader 2017) |
| S1178 | ShrinkLocker | Malware | [ShrinkLocker](https://attack.mitre.org/software/S1178) can restart the victim system if it encounters an error during execution, and will forcibly sh... |
| S0368 | NotPetya | Malware | [NotPetya](https://attack.mitre.org/software/S0368) will reboot the system one hour after infection.(Citation: Talos Nyetya June 2017)(Citation: US Di... |
| S1160 | Latrodectus | Malware | [Latrodectus](https://attack.mitre.org/software/S1160) has the ability to restart compromised hosts.(Citation: Elastic Latrodectus May 2024) |
| S1149 | CHIMNEYSWEEP | Malware | [CHIMNEYSWEEP](https://attack.mitre.org/software/S1149) can reboot or shutdown the targeted system or logoff the current user.(Citation: Mandiant ROAD... |
| S0140 | Shamoon | Malware | [Shamoon](https://attack.mitre.org/software/S0140) will reboot the infected system once the wiping functionality has been completed.(Citation: Unit 42... |
References
- Chiu, A. (2016, June 27). New Ransomware Variant "Nyetya" Compromises Systems Worldwide. Retrieved March 26, 2019.
- CISA. (2018, April 20). Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved February 14, 2022.
- lzcapp. (n.d.). Retrieved September 22, 2025.
- Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer Takes Aim At Winter Olympics. Retrieved March 14, 2019.
- Microsoft. (2017, October 15). Shutdown. Retrieved October 4, 2019.
- NtDoc. (n.d.). NtRaiseHardError - NtDoc. Retrieved September 22, 2025.
- Or Chechik, Tom Fakterman, Daniel Frank & Assaf Dahan. (2023, November 6). Agonizing Serpens (Aka Agrius) Targeting the Israeli Higher Education and Tech Sectors. Retrieved May 22, 2024.
- SecurityNews. (2024, July 12). Disarming DarkGate: A Deep Dive into Thwarting the Latest DarkGate Variant. Retrieved September 22, 2025.
- William Thomas, Adrian Liviu Arsene, Farid Hendi. (2022, February 25). CrowdStrike Falcon® Protects from New Wiper Malware Used in Ukraine Cyberattacks. Retrieved September 22, 2025.
Frequently Asked Questions
What is T1529 (System Shutdown/Reboot)?
T1529 is a MITRE ATT&CK technique named 'System Shutdown/Reboot'. It belongs to the Impact tactic(s). Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or networ...
How can T1529 be detected?
Detection of T1529 (System Shutdown/Reboot) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1529?
Follow defense-in-depth principles including network segmentation, least privilege access, security monitoring, and regular patching to reduce the risk of this technique.
Which threat groups use T1529?
Known threat groups using T1529 include: APT38, APT37, Lazarus Group, Medusa Group.