Sign In
- Platform
- Solutions
- Modern NDR
- Resources
- Company
Platform
Modern NDR
Resources
Platform
Modern NDR
Resources
DETECTION OVERVIEW
Risk Factors
On a default Windows configuration, it is relatively easy to shut down or restart a device remotely. But a remote device shut down can be detected easily. A malicious shutdown can destroy data or cause a denial-of-service (DoS).
The system might change the risk score for this detection.
Kill Chain
Risk Score
56
An attacker can have many reasons to shut down or restart a device from a remote system. An attacker might want to destroy the contents of system memory, initiate changes that are triggered by a reboot, or disable the device. One approach for remotely shut down a device is to send Microsoft remote procedure call (MS-RPC) requests to an interface on the victim device, such as WsdrInitiateShutdown, RpcWinStationShutdownSystem, BaseInitiateShutdownEx, or BaseInitiateSystemShutdown.
Investigate unusual system shutdowns to minimize potential damage
Limit the number of privileged users in your environment
Implement network segmentation and firewall policies to limit how devices can communicate and enforce security zones
Maintain off-site and up-to-date backup files that can restore critical data and systems
