Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0801: Detection of Device Restart/Shutdown

DET0801 is a detection strategy for identifying restart or shutdown of devices in an ICS environment. Its business value is resilience: an unexpected contr...

ICSDET0801Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0801 is a detection strategy for identifying restart or shutdown of devices in an ICS environment. Its business value is resilience: an unexpected control-system device restart or shutdown can interrupt expected response functions during critical operating states and may affect physical processes. Leaders should treat this as an operational continuity and cyber-physical monitoring question, not only a security alerting question.

Executive priority

Prioritize this where control-system availability, safety, or process continuity depends on devices staying online. The key executive question is whether operations, engineering, and the SOC can distinguish authorized maintenance restarts from unexpected or potentially disruptive shutdown events, and whether there is evidence to support incident decisions, audit inquiries, and recovery coordination. Because ATT&CK provides no official detection text or platform list for this object, priority should be based on local ICS criticality and existing telemetry rather than assumed coverage.

Technical view

This detection strategy is linked to ICS technique T0816, Device Restart/Shutdown. SOC, OT monitoring, and incident response teams should validate whether they can observe device restart and shutdown events initiated through normal device functionality such as management interfaces, command-line access, or network protocol commands, as described in the related technique context. Detection engineering should focus on event timing, initiating source, affected asset criticality, and whether the action aligns with approved maintenance or operator activity.

Likely telemetry

  • Control-system device logs showing restart, shutdown, boot, fault, or availability state changes
  • OT network monitoring records that may show management or protocol commands associated with restart or shutdown behavior
  • Authentication and access logs for device web interfaces, engineering workstations, jump hosts, or administrative sessions where available
  • Change-management, maintenance-window, and operator action records for comparison against observed restart or shutdown events
  • Asset inventory and criticality data to identify which devices support essential response functions or physical processes

Detection direction

  • Validate that restart and shutdown events from critical ICS devices are logged, time-synchronized, retained, and visible to the monitoring function.
  • Tune alerts around unexpected timing, unusual initiating systems or users, repeated restart patterns, and restarts outside approved maintenance windows.
  • Correlate device availability changes with authentication, network management activity, and operational change records before escalating as malicious.
  • Account for false positives from planned maintenance, firmware updates, power events, operator troubleshooting, or normal device lifecycle behavior.
  • Identify blind spots where devices lack logging, where OT networks are not monitored, or where maintenance activity is not recorded in a way the SOC can compare.

Mitigation priorities

  • Start with asset criticality: identify ICS devices whose restart or shutdown could disrupt physical processes or expected response functions.
  • Ensure operational procedures require authorization and documentation for device restart or shutdown activity.
  • Restrict and monitor administrative paths used to access device web interfaces, CLIs, or protocol-based management functions where applicable.
  • Improve logging, time synchronization, and retention for device state changes and administrative activity.
  • Exercise incident response coordination between SOC, OT engineering, and operations so unexpected restart or shutdown events trigger the right safety, continuity, and recovery decisions.
Analyst notes and limits

The supplied ATT&CK object is a detection strategy with no official description, no official detection text, no specified platforms, and no tactics. The strongest supported context comes from its relationship to T0816, Device Restart/Shutdown, in the ICS domain. Use this take as a validation checklist for OT visibility and operational correlation rather than as a claim of a complete analytic.

Coverage depends heavily on local ICS architecture, device capabilities, available logs, network monitoring, maintenance records, and asset criticality. The ATT&CK source fields do not specify platforms, data sources, analytics, procedures, or adversary use, so no claim is made about active exploitation, attribution, or guaranteed detection.

Official MITRE ATT&CK definition

Detection of Device Restart/Shutdown

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
ICS T0816 Device Restart/Shutdown This object detects Device Restart/Shutdown.
Relationship explorer

All related ATT&CK context

detects · Technique T0816: Device Restart/Shutdown ICS
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
7ce35f1f48a9d10a...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 7ce35f1f48a9…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0801
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use