Windows System Shutdown/Reboot (Normalized Process Events)

Hunt Hypothesis

Adversaries may use system shutdown or reboot events to evade detection or persist across reboots. SOC teams should proactively hunt for this behavior to identify potential lateral movement or persistence tactics in their Azure Sentinel environment.

KQL Query

let timeframe = 1d;
imProcessCreate
| where Process has "shutdown.exe" 
| extend HostCustomEntity = Dvc, AccountCustomEntity = User

Analytic Rule Definition

id: 614a59c5-2dae-4430-bb16-951a28a5f05f
name: Windows System Shutdown/Reboot (Normalized Process Events)
description: |
  'This detection uses Normalized Process Events to detect System Shutdown/Reboot (MITRE Technique: T1529)'

requiredDataConnectors: []

tactics:
  - Impact
relevantTechniques:
  - T1529

query: |
  let timeframe = 1d;
  imProcessCreate
  | where Process has "shutdown.exe" 
  | extend HostCustomEntity = Dvc, AccountCustomEntity = User

entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: AccountCustomEntity
  - entityType: Host
    fieldMappings:
      - identifier: FullName
        columnName: HostCustomEntity

Required Data Sources

MITRE ATT&CK Context

• Tactic: Impact
• Technique: T1529 — T1529

References

• [Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/ASimProcess/imProcess_Windows System Shutdown-Reboot(T1529).yaml)

False Positive Guidance

• Scenario: A system administrator performs a scheduled reboot via Task Scheduler to apply critical updates.
  Filter/Exclusion: Exclude events where the process name is schtasks.exe and the command line includes /run with a task name related to system updates.

• Scenario: A Windows Update Agent triggers a reboot after a patch installation.
  Filter/Exclusion: Exclude events where the process name is wuauclt.exe and the command line includes reboot or rebootmgr.

• Scenario: A System Center Configuration Manager (SCCM) client initiates a reboot as part of a deployment.
  Filter/Exclusion: Exclude events where the process name is ccmexec.exe and the command line includes reboot or rebootmgr.

• Scenario: A PowerShell script is used by an admin to gracefully shut down a server during maintenance.
  Filter/Exclusion: Exclude events where the process name is powershell.exe and the command line includes Stop-Computer or shutdown /s.

• Scenario: A remote desktop session is ended, triggering a system shutdown due to inactivity or policy enforcement.
  Filter/Exclusion: Exclude events where the process name is tscon.exe or mstsc.exe and the event is associated with a remote session termination.