Adversaries may use system shutdown or reboot events to mask lateral movement or exfiltration activities. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential covert operations that leverage system restarts to evade detection.
KQL Query
Event
| where Source == "Microsoft-Windows-Sysmon"
| where EventID == 1
| extend RenderedDescription = tostring(split(RenderedDescription, ":")[0])
| extend EventData = parse_xml(EventData).DataItem.EventData.Data
| mv-expand bagexpansion=array EventData
| evaluate bag_unpack(EventData)
| extend Key=tostring(['@Name']), Value=['#text']
| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)
| extend RuleName = column_ifexists("RuleName", ""), TechniqueId = column_ifexists("TechniqueId", ""), TechniqueName = column_ifexists("TechniqueName", "")
| parse RuleName with * 'technique_id=' TechniqueId ',' * 'technique_name=' TechniqueName
| where Image has "shutdown.exe"
| extend HostCustomEntity = Computer, AccountCustomEntity = UserName
id: 024b3726-add7-4e06-842d-932034ba21f7
name: Windows System Shutdown/Reboot(Sysmon)
description: |
'This detection uses Sysmon telemetry to detect System Shutdown/Reboot (MITRE Technique: T1529)'
requiredDataConnectors:
- connectorId: SecurityEvents
dataTypes:
- SecurityEvent
tactics:
- Impact
relevantTechniques:
- T1529
query: |
Event
| where Source == "Microsoft-Windows-Sysmon"
| where EventID == 1
| extend RenderedDescription = tostring(split(RenderedDescription, ":")[0])
| extend EventData = parse_xml(EventData).DataItem.EventData.Data
| mv-expand bagexpansion=array EventData
| evaluate bag_unpack(EventData)
| extend Key=tostring(['@Name']), Value=['#text']
| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)
| extend RuleName = column_ifexists("RuleName", ""), TechniqueId = column_ifexists("TechniqueId", ""), TechniqueName = column_ifexists("TechniqueName", "")
| parse RuleName with * 'technique_id=' TechniqueId ',' * 'technique_name=' TechniqueName
| where Image has "shutdown.exe"
| extend HostCustomEntity = Computer, AccountCustomEntity = UserName
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
- entityType: Host
fieldMappings:
- identifier: FullName
columnName: HostCustomEntity
Scenario: Scheduled System Reboot via Task Scheduler
Description: A legitimate scheduled task configured to reboot the system at a specific time (e.g., during maintenance windows).
Filter/Exclusion: Check for EventID=100 (System Reboot) or filter by TaskName containing “Maintenance” or “Reboot”. Use Task Scheduler logs or Event ID 100 to confirm it’s a planned reboot.
Scenario: Windows Update Reboot
Description: A system reboot triggered by Windows Update after a patch installation.
Filter/Exclusion: Filter by EventID=6008 (System Crash) or EventID=6006 (System Event) to identify update-related reboots. Use Windows Update logs or check for KBxxxxxx in event details.
Scenario: Admin Performing Manual System Reboot
Description: An administrator manually initiates a reboot via the command line or GUI (e.g., shutdown /r /t 0).
Filter/Exclusion: Filter by CommandLine containing shutdown /r or shutdown -r -t 0. Check for administrative privileges and user context (e.g., User=Administrator).
Scenario: VM Host Reboot Affecting Guest Systems
Description: A reboot of the host machine in a virtualized environment that causes guest systems to reboot or appear to reboot.
Filter/Exclusion: Check for EventID=100 and correlate with hypervisor logs (e.g., VMware vmkernel.log, Hyper-V eventvwr logs). Filter by ComputerName matching the host machine.
Scenario: System Reboot Triggered by Group Policy Client Processing
Description: A reboot is initiated by Group Policy Client