Esc

Host Shutdown

Definition

Initiating a host's shutdown sequence to terminate all running processes.

How It Works

Host shutdown can either be initiated in the physical presence of the device using the power functions or remotely using the provided user interface or an installed EDR agent (with the available function). This process may allow for the removal of specific types of malware, such as fileless malware, and can also prevent further damage, for example, if the system is part of a botnet.

Considerations

If the attacker has achieved persistence techniques, this technique may not be effective
Compromised systems may not respond to remote commands to shutdown or reboot, requiring physical intervention.
Shutting down a system will usually result in the memory losing its state which can be useful in forensic activities so this should be considered when deciding to shutdown.
Shutting down systems may disrupt access to computer resources for legitimate users.

json

Technique Subclasses

There are 2 techniques in this category, Host Shutdown.

Name	ID	Definition	Synonyms
Host Shutdown	D3-HS	Initiating a host's shutdown sequence to terminate all running processes.
- Host Reboot	D3-HR	Initiating a host's reboot sequence to terminate all running processes.

References

All

Academic Paper

The following references were used to develop the Host Shutdown knowledge-base article.

(Note: the consideration of references does not imply specific functionality exists in an offering.)

Near-Memory & In-Memory Detection of Fileless Malware

Reference Type: Academic Paper Author: Marcus Botacin, André Grégio, Marco Antonio Zanata Alves

Source: https://web.inf.ufpr.br/mazalves/wp-content/uploads/sites/13/2021/03/memsys2020.pdf

D3FEND^™

A knowledge graph of cybersecurity countermeasures