Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0559: Multi-Platform Shutdown or Reboot Detection via Execution and Host Status Events

DET0559 is a detection strategy for recognizing shutdown or reboot activity by combining execution evidence with host status events. Its business value is...

EnterpriseDET0559Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0559 is a detection strategy for recognizing shutdown or reboot activity by combining execution evidence with host status events. Its business value is continuity-focused: unexpected shutdowns or reboots can interrupt access to systems and may be part of destructive or disruptive activity under ATT&CK technique T1529, System Shutdown/Reboot.

Executive priority

Leaders should treat this as an operational resilience and incident triage control, not just a log rule. The key decision is whether the organization can quickly distinguish authorized maintenance from suspicious shutdown or reboot activity across relevant environments such as ESXi, Linux, macOS, and network devices referenced by the related ATT&CK technique. This supports incident response readiness, audit evidence for monitoring coverage, and prioritization of logging on systems where downtime has business or cyber-physical consequences.

Technical view

The supplied ATT&CK object has no official detection text and no platforms listed directly, but it detects T1529, which is an impact technique involving system shutdown or reboot. SOC and detection teams should validate correlation between command or process execution events that indicate shutdown/reboot behavior and independent host-status evidence such as restart, uptime change, device reload, or loss-and-return of availability. Because the related technique includes ESXi, Linux, macOS, and network devices, coverage should be assessed per platform rather than assumed globally.

Likely telemetry

  • Process or command execution logs for shutdown, reboot, reload, or equivalent administrative actions
  • Host lifecycle/status events such as boot, restart, shutdown, uptime reset, or service start after reboot
  • Authentication and authorization records showing who initiated administrative access before the event
  • Remote administration or network device CLI session logs where available
  • Infrastructure monitoring alerts for device down/up transitions or unexpected availability loss

Detection direction

  • Correlate execution events with host status changes to reduce reliance on a single log source.
  • Tune against approved patching, maintenance windows, administrator activity, and automated orchestration to manage false positives.
  • Prioritize high-criticality systems and platforms associated with the related technique: ESXi, Linux, macOS, and network devices.
  • Validate whether network devices and virtualization infrastructure provide sufficiently detailed command/session logs; these are common blind spots compared with endpoint telemetry.
  • Alert more strongly when shutdown/reboot activity is remote, clustered across multiple systems, outside maintenance windows, or lacks a corresponding approved change record.

Mitigation priorities

  • Ensure critical systems produce centralized execution, authentication, and host-status telemetry before relying on detections.
  • Restrict shutdown/reboot privileges to authorized administrative roles and review remote administration access paths.
  • Maintain reliable maintenance-window and change-management data so SOC teams can separate expected operational activity from suspicious disruption.
  • Include unexpected shutdown/reboot scenarios in incident response playbooks, especially for systems where downtime affects business continuity.
  • Review recovery expectations, backups, and operational runbooks for assets where reboot or shutdown could create material service impact.
Analyst notes and limits

This take is based on the detection strategy metadata and its relationship to ATT&CK T1529 System Shutdown/Reboot. The strategy name implies multi-platform correlation of execution and host status events, but MITRE supplied no official description or detection procedure for this object. Local logging architecture, administrative practices, and maintenance automation will determine practical fidelity.

The detection strategy object does not specify platforms, tactics, description, or official detection logic. Platform and tactic context comes only from the relationship to T1529. This summary does not assert active exploitation, attribution, or guaranteed detection coverage.

Official MITRE ATT&CK definition

Multi-Platform Shutdown or Reboot Detection via Execution and Host Status Events

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1529 System Shutdown/Reboot This object detects System Shutdown/Reboot.
Relationship explorer

All related ATT&CK context

detects · Technique T1529: System Shutdown/Reboot Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
4a2523f7e626d16e...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 4a2523f7e626…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0559
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use