MITRE ATT&CK: System shutdown/reboot

Introduction 

When system features are used against the system itself, attackers have a unique opportunity to use the in-built capabilities of a computer to make it do what they want. 

Everyone knows that system shutdown and reboot are ubiquitous system features spanning every platform, practically as common as a keyboard. Shutdown/reboot denies system availability to users, and attackers use this feature to their benefit by denying them the availability of their system during an attack. 

This article will detail the system shutdown/reboot attack technique as enumerated in the MITRE ATT&CK matrix. We’ll explore the danger of abuse of system features-based attack techniques, what this attack technique is, real-world examples of this attack technique in action, the problem with mitigation and how to detect this attack. 

What is MITRE ATT&CK?

MITRE is a not-for-profit corporation dedicated to solving problems for a safer world. Beginning as a systems engineering company in 1958, MITRE has added new technical and organization capabilities to its knowledge base — including cybersecurity.

To this end, MITRE released the MITRE ATT&CK list as a globally accessible knowledge base of adversary techniques and tactics based upon real-world observations. This information can then be used as the basis for the foundation of the development of threat models and methodologies for cybersecurity product/service community, the private sector and government use. More information on the MITRE ATT&CK matrix can be found here.

What is the system shutdown/reboot attack technique?

System shutdown and reboot is something that everyone who has touched a PC is at least familiar with. Attackers can use this feature to cause interruption to system access or in furtherance of target system destruction. 

For the most part, when attackers use this technique, they are not using the shutdown/reboot button located in the Windows Start menu (unless (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Greg Belding. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/tZslD8dAAEY/