AN1538: Analytic 1538
Correlate process execution of shutdown/reboot commands (e.g., shutdown.exe, restart-computer) with host status change logs (Event IDs 1074, 6006) and absence of related administrative context (e.g., user not in Helpdesk group).
Analyst context for executives and security teams
AN1538 is a Windows-focused detection analytic for identifying potentially unauthorized shutdown or reboot activity by correlating shutdown-related process execution with host status change events and missing administrative context. For leaders, this matters because unexpected restarts can interrupt business operations, disrupt investigations, hide attacker activity, or indicate weak control over privileged operational actions.
Executive priority
Treat this as an operational resilience and accountability control. Security and IT leaders should ask whether the organization can prove who initiated Windows shutdowns or reboots, whether the action was expected, and whether the initiating user had an approved administrative role such as Helpdesk. The value is not just alerting; it is audit-ready evidence for disruptive host changes and faster incident triage when availability or forensic continuity is affected.
Technical view
SOC and detection teams should validate correlation across Windows process execution for commands such as shutdown.exe or PowerShell restart-computer, Windows host status change logs including Event IDs 1074 and 6006, and identity or group context showing whether the user belongs to an expected administrative group. Because no ATT&CK tactic is specified and no separate official detection text is provided, implementation should stay scoped to the supplied analytic description and be tuned against local maintenance and helpdesk workflows.
Likely telemetry
- Windows process execution telemetry for shutdown or reboot commands
- Windows Event ID 1074 indicating planned shutdown or restart activity
- Windows Event ID 6006 indicating event log service stopped during shutdown
- User identity and group membership context, especially administrative or Helpdesk membership
- Change, maintenance, or ticketing context where available to distinguish approved activity from suspicious activity
Detection direction
- Correlate command execution with subsequent host status change events rather than relying on a single event source.
- Enrich alerts with user group membership to identify cases where the actor lacks expected administrative context.
- Tune for known maintenance windows, endpoint management tooling, and legitimate helpdesk operations to reduce false positives.
- Validate whether telemetry survives reboot timing and whether event forwarding captures shutdown-related events before the host goes offline.
- Investigate gaps where process telemetry, Windows event logs, or identity group data are not centrally collected or time-synchronized.
Mitigation priorities
- Define and document which roles are authorized to initiate Windows shutdowns or reboots.
- Restrict shutdown and reboot privileges to approved administrative groups where operationally feasible.
- Maintain reliable Windows event forwarding and process execution logging for systems where unexpected restarts create business or investigative risk.
- Align detection tuning with change management so approved maintenance is distinguishable from unapproved activity.
- Periodically test whether SOC workflows can identify the user, command, host, time, and business context for shutdown or reboot events.
Analyst notes and limits
This object is an ATT&CK detection analytic, not a technique description. Its decision value is in validating whether Windows shutdown and reboot activity can be tied to both endpoint evidence and administrative authorization context. It is especially useful for SOC, incident response, identity governance, and operational resilience reviews.
The supplied ATT&CK fields do not specify tactics, related techniques, relationships, or a separate official detection section. The analytic is limited to Windows. Local environment data is required to determine authorized groups, normal maintenance patterns, and whether event collection is complete enough for reliable correlation.
Analytic 1538
Correlate process execution of shutdown/reboot commands (e.g., shutdown.exe, restart-computer) with host status change logs (Event IDs 1074, 6006) and absence of related administrative context (e.g., user not in Helpdesk group).
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 5ea47be04a6b… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1538Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.