Active Scanning (T1595)

The MITRE ATT&CK framework is a widely used knowledge base that categorizes various tactics and techniques cyberattackers use during their campaigns. One such tactic is active reconnaissance, which involves probing a victim’s network through direct interaction. Cyberattackers may conduct reconnaissance scans to gather the information they can use to target their victims. These scans differ from passive approaches that don’t involve direct interaction. During active scanning, the adversary sends network traffic to the target and analyzes the responses, which can provide valuable information about the target’s configurations, vulnerabilities, and services. This information can help the adversary identify potential entry points into the target network and determine the best approach for compromising the target. Table 4-1 lists the sub-techniques associated with Active Scanning in the framework.

Gather Victim Identity Information (T1589)

Adversaries may try to gather information about the target’s identity to use during the attack, including personal data like names and email addresses or sensitive information like login credentials. This information can be collected in several ways, such as by sending phishing emails to trick people into giving them information, probing and analyzing responses from authentication services, or finding information online on social media or other websites. Information such as account credentials may be directly associated with the target victim organization, or adversaries may attempt to take advantage of the reuse of passwords in work and private life. Table 4-2 lists the sub-techniques associated with Gather Victim Identity Information in the framework.

Search Closed Sources (T1597)

To target a victim, attackers may search for and gather information from closed sources in cases where such information is not publicly available and can be obtained by purchasing it from private sources, such as threat intelligence platforms or dark web black markets. For example, they may seek personal information about individuals within the target organization, such as names, email addresses, or login credentials. They may also gather information about the target’s technology infrastructure, including hardware and software configurations, network topologies, and other technical details. Table 4-3 lists the sub-techniques associated with Search Closed Sources in the framework.

Acquire Infrastructure (T1583)

Just like a handyman needs a toolbox, adversaries need infrastructure to achieve their objectives. To be successful, adversaries need the right tools—servers, domains, and other resources they must use to carry out the plan. Threat actors can easily acquire the necessary infrastructure by buying, leasing, or renting. With access to physical or cloud servers, domains, and third-party web services, they have a wide variety of options to choose from. Having the proper infrastructure allows adversaries to stage, launch, and execute their operations efficiently. They can blend in with regular online traffic, making it difficult for others to detect their activities. And because they can quickly provision, modify, and shut down their infrastructure as needed, they can promptly abort a mission and move on to the next target.

In today’s digital landscape, having the proper infrastructure is critical for any adversary who wants to achieve their objectives. Whether they are looking to do harm, steal sensitive information, or cause chaos, the proper infrastructure gives them the power to succeed. In simple terms, it can be difficult to stop this technique because it takes place outside of the company’s protection and control. As a result, preventive measures may not be effective in stopping it. Table 4-4 lists the sub-techniques associated with Acquire Infrastructure in the framework.

Develop Capabilities (T1587)

Instead of buying or stealing tools, threat actors may choose to build them themselves. This could include creating malware, exploits, or even their own certificates to support their operations at different stages of their plan. Of course, building anything requires different skills and abilities, but making these tools requires specific knowledge and expertise. Adversaries may have these skills in-house, or they may hire outside help. Even if they choose to hire someone, they may have control and play a role in shaping what they need the tool to do , as well as making it exclusively for their own use. Table 4-5 lists the sub-techniques associated with Develop Capabilities in the framework.

Establish Accounts (T1585)

Establish Accounts is a technique that encompasses actions taken by adversaries to create and cultivate accounts with various online services and platforms. They may use public information to build an identity with a fake history in order to make their actions seem more legitimate. This is essential for social engineering operations, as they may use this phony identity to interact with others and gather information. Creating these fake personas could also involve filling out profiles, building social networks, and adding photos to make them seem real. Adversaries may also create accounts with email providers, which can be directly used for phishing attacks, where they try to trick people into giving away sensitive information. Table 4-6 lists the sub-techniques associated with Establish Accounts in the framework.

Drive-by Compromise (T1189)

Imagine browsing the internet, visiting different websites as you usually do, and you come across a website that looks legitimate and trustworthy. But little do you know, the system has been compromised, and malicious content has been injected into the website.

As soon as you visit the link, the malicious code automatically starts running on your browser, exploiting any known vulnerability it targets. It scans the different versions of your browser and plug-ins, and if it finds any weak point, it will then deliver the exploit code to your browser. The exploit code can then potentially give the attacker access to your system. Sometimes, the compromised website may also be used to deliver malicious applications that steal access tokens, such as OAuth security credentials. These tokens give the attacker access to restricted applications and information, like online account data and other sensitive information. The typical drive-by compromise process is a dangerous way for threat actors to access a user’s system. Here’s how it works:

1. A user visits a website that an adversary controls, which may look legitimate and trustworthy but contains malicious code.

2. As soon as the user visits the website, the scripts on the website automatically start to run on the user’s browser. These scripts scan the different browser versions and plug-ins, looking for any vulnerabilities.

3. The user may be asked to assist in this process by enabling scripting or active website components or ignoring warning dialog boxes on their screen.

4. If a vulnerable version is found, the exploit code is delivered to the browser; this gives the adversary control of the user’s system.

Exploit Public-Facing Application (T1190)

When you use the internet, there are often computers and programs that anyone with an internet connection can access (known as public-facing applications). Unfortunately, there may be weaknesses in these systems that can be taken advantage of by malicious actors. Bugs, glitches, or design flaws in the system can cause these weaknesses, resulting in attackers commonly targeting websites and databases, standard services like SMB or SSH, and network device administration and management protocols like SNMP. When these systems are hosted on cloud-based infrastructure or in containers, exploiting them can compromise the underlying infrastructure, giving the attacker a path to access sensitive data.

Phishing (T1566)

Phishing is a type of cyberattack that aims to steal sensitive information or compromise computer systems. Adversaries conduct phishing attacks by sending electronic messages, such as emails or instant messages, that appear to be from a trustworthy source. These messages are designed to trick the recipient into clicking on a malicious link or downloading a malicious attachment, which can then be used to steal sensitive information or install malware on the recipient’s computer.

Targeted phishing, also known as spearphishing, occurs when the attacker targets a particular individual, company, or industry. In these attacks, the adversary will often use personal information about the target to make the message appear more legitimate. For example, an attacker might send an email to an employee at a financial institution that seems to be from their supervisor, asking the employee to provide sensitive information or download and execute files. Nontargeted phishing, on the other hand, occurs when the attacker sends out many messages to a wide range of potential victims. These attacks often use generic messages or images and are typically sent in large-scale spam campaigns.

Phishing attacks can also occur through social media platforms, as attackers may use these platforms to send malicious messages or to create fake profiles that appear to be from trustworthy sources. Table 4-7 lists the sub-techniques associated with Phishing in the framework.

Supply Chain Compromise (T1195)

Supply chain compromise is a dangerous type of cyberattack that occurs when an adversary manipulates products or delivery mechanisms before they reach the final consumer. It can happen at any stage of the supply chain, from the development tools used to create the product to the delivery of the product to the customer.

This attack usually aims to gain control of a system or steal data, and it is often focused on adding malicious code to distributed or updated software, either targeting specific victims or distributing the code more widely. It can include replacing legitimate software with modified versions, infecting system images, or manipulating source code repositories. Table 4-8 lists the sub-techniques associated with Supply Chain Compromise in the framework.

Command and Scripting Interpreter (T1059)

A command and scripting interpreter is a computer program that allows you to execute instructions written in a programming or scripting language without compiling them first. Interpreters make writing code more accessible and enable you to run human-readable code directly. However, this also makes them preferred tools for attackers to use in their attack campaigns.

Command interpreters, such as Windows Command Shell, PowerShell, and Unix Shell, are built-in tools in operating systems that execute user-specified commands. Scripts, on the other hand, are series of commands written in scripting languages such as PowerShell, Perl, JavaScript, and Python, which a scripting interpreter executes. While these tools are used by legitimate users such as system administrators and programmers to automate tasks, attackers often use them to run malicious code, collect information, and persist in a victim machine. The tools mentioned here, along with others, are comprehensively covered in Chapter 5.

For example, PowerShell is a popular tool used by attackers because it is a built-in utility in Windows operating systems and provides extensive access to the internals of Windows. Attackers can use it to develop fileless malware that runs entirely in memory and leave no traces on the disk. Publicly available tools like Empire and Nishang have also been developed using PowerShell and are frequently leveraged by threat actors in cyberattacks.

Similarly, AppleScript is a scripting language used for macOS that allows adversaries to interact with any application running locally or remotely. Adversaries use it to perform various tasks, such as locating open windows and transmitting keystrokes. Table 4-9 lists the sub-techniques associated with Command and Scripting Interpreter in the framework.

Exploitation for Client Execution (T1203)

A client application is software individuals use to perform tasks, such as web browsing or word processing. These applications can have vulnerabilities, which are weaknesses in the code that attackers can exploit to gain access to the target system. There are several types of client execution exploitation, including browser-based exploitation, office application exploitation, and exploitation of common third-party applications. These exploits are delivered in various ways, such as through normal web browsing, spearphishing emails, or as attachments or links to malicious files. The user interaction required to execute the exploit depends on the type of exploit and the targeted application.

Browser-based exploitation can occur through drive-by compromise or spearphishing links, which do not require any action by the user for the exploit to be executed. Office applications, such as Microsoft Office, can be targeted through phishing, where malicious files are transmitted as attachments or links to download them. In these cases, the user must open the document or file for the exploit to run. Adversaries may also target third-party applications widely used in enterprise environments, such as Adobe Reader and Flash. Depending on the software and nature of the vulnerability, these exploits may be executed in the browser or require the user to open a file.

Software Deployment Tools (T1072)

Software deployment tools can be a potential security risk for companies because adversaries, or unauthorized individuals, may be able to access these tools and use them to move throughout a company’s network. This could result in the adversary’s ability to execute code on all connected systems, gather sensitive information, or even cause damage, such as wiping all data from computers. The specific permissions needed to carry out this type of attack may depend on the company’s system setup. In some cases, local credentials may be enough, while specific domain credentials may be required in others.

Exploitation for Privilege Escalation (T1068)

In simple terms, a software vulnerability is a flaw in a program or service that an attacker can exploit to gain unauthorized access to a system. This means that the attacker takes advantage of a mistake in the programming to run their code on the system. To do this, the attacker often needs to bypass security measures and increase their privileges, which may be limited initially. An attacker may start with lower privilege levels, which restrict their access to specific resources on the system. However, suppose vulnerabilities exist in the operating system components or high-level software. In that case, the attacker can exploit them to elevate their privileges to a higher level, such as SYSTEM or root. This will allow the attacker to access more sensitive information and perform more damaging actions.

In some cases, the attacker may use a signed vulnerable driver to exploit a vulnerability in kernel mode. This technique is known as Bring Your Own Vulnerable Driver (BYOVD) and involves delivering the vulnerable driver to the compromised system through various methods, such as Initial Access or Lateral Tool Transfer.

Domain Policy Modification (T1484)

Adversaries can threaten computer networks’ security, especially in domain environments where resources are managed centrally. These environments include settings that dictate how different computer systems and user accounts interact with one another on a network.

One way adversaries can do this is by altering domain Group Policy Objects (GPOs) or changing trust settings between domains, including federation trusts. This requires sufficient permissions and, once done, can result in a wide range of potential attacks. For instance, an adversary can modify GPOs to push a malicious task onto all computers in the network or change trust settings to include an adversary-controlled domain where they can control access tokens. Additionally, adversaries may change configuration settings within the Active Directory (AD) environment to set up a rogue domain controller, further compromising security. Sometimes, they may temporarily modify domain policy, carry out malicious actions, and then revert the changes to hide their tracks. Table 4-11 lists the sub-techniques associated with Domain Policy Modification in the framework.

Deobfuscate/Decode Files or Information (T1140)

Adversaries often use obfuscation techniques to conceal the true nature of their malicious activities, making it more difficult for security solutions to detect and prevent them. During an attack, separate mechanisms may be required to decode or deobfuscate files and information, which can involve the built-in functionality of malware or using utilities present on the system.

An example of this would be certutil, a command-line utility in Windows that is used to manage digital certificates and certificate trust lists. It is typically used to view and manage certificate stores, convert certificate formats, and verify certificate trust. By hiding a remote access tool (RAT) portable executable file inside a certificate file and then using certutil to decode it, adversaries can evade security solutions that rely on recognizing known malicious code.

Masquerading (T1036)

Adversaries sometimes use masquerading techniques to make their malicious software look like it’s a harmless or even a helpful tool. They do this by changing the name or location of the software so that it’s harder for security programs and users to identify it as harmful. It could mean giving the software a misleading filename or file type, making it appear as if it’s a different kind of file altogether, or even giving it a name that sounds like a trusted system utility.

Masquerading aims to avoid detection and trick people into downloading or running malicious software. By making software appear legitimate or harmless, the attacker hopes to give themselves a better chance of succeeding in their attack. Table 4-12 lists the sub-techniques associated with Masquerading in the framework.

Indirect Command Execution (T1202)

Adversaries can abuse certain utilities in Windows that allow for command execution to bypass security restrictions. This enables them to execute arbitrary commands and scripts without invoking the command-line interpreter (cmd), thereby avoiding detection. The utilities that can be used for this purpose include Forfiles, the Program Compatibility Assistant (pcalua.exe), and components of the Windows Subsystem for Linux (WSL), as well as others.

Brute Force (T1110)

Brute force is a method malicious actors use to gain access to sensitive accounts, such as online accounts or computer systems, when the password is unknown or password hashes have been obtained. The idea behind it is to guess the password by repeatedly trying different combinations until the correct one is found. Adversaries can use brute-force attacks at various points during a breach to access valid accounts within a victim’s environment by leveraging information gathered from other malicious activities, like OS credential dumping, account discovery, or password policy discovery. Table 4-13 lists the sub-techniques associated with Brute Force in the framework.

Network Sniffing (T1040)

Network sniffing is monitoring or capturing information sent over a wired or wireless network connection. Essentially, attackers use their network interface to tap into the network and collect data that is in transit. One of the things attackers can target through network sniffing is sensitive information, like user credentials, especially if the information is being sent over an insecure or unencrypted protocol, making it easier for the attacker to access it. Aside from capturing user credentials, network sniffing can give attackers insight into the configuration details of the network environment, like running services, version numbers, IP addresses, hostnames, and VLAN IDs. Even in cloud-based environments, attackers can use traffic-mirroring services to sniff network traffic from virtual machines. Much of this traffic is often in clear text, as encryption is not applied to reduce the strain on the network.

OS Credential Dumping (T1003)

OS credential dumping is an attacker’s technique to steal account login information, like passwords or hash values, from an operating system or software. With the credentials obtained through OS credential dumping, attackers can access restricted information and critical assets, move laterally in the network, create new accounts, perform actions, and even remove accounts to clear their tracks. In addition, they may also analyze password patterns and password policies to reveal other credentials. This technique is used by attackers who have already gained access to a system with elevated privileges. Table 4-14 lists the sub-techniques associated with OS Credential Dumping in the framework.

Account Discovery (T1087)

Account discovery is a technique adversaries use to collect information about accounts on a system or within a network environment. The purpose of account discovery is to identify the users who have access to the system and to determine which accounts can be targeted further. Adversaries may try to gather information about the cloud accounts that an organization has established, as well as compile a list of email addresses that can be targeted in a later stage of the operation. Table 4-15 lists the sub-techniques associated with Account Discovery in the framework.

Browser Information Discovery (T1217)

Adversaries may attempt to find information about the systems and networks they have compromised by examining the bookmarks saved in a user’s web browser. These bookmarks can provide valuable information about the user, such as their banking websites, social media accounts, and interests, as well as details about the internal network, such as servers, tools, and dashboards. If an adversary has obtained valid login credentials, examining the browser bookmarks can help them identify other potential targets. This is especially true if the browser has saved website login information, which is stored in files on the user’s device. The location of browser bookmarks depends on the user’s platform and web browser, but they are typically stored in local files or databases on the user’s device.

System Network Connections Discovery (T1049)

When an adversary gains unauthorized access to a computer system or network, they may try to find out more about the connections to and from that system. This is a way for attackers to gather information about connections to and from a compromised system or network, which can help them further their malicious goals. For instance, an attacker may search for details about virtual private clouds or networks in a cloud computing setup. Additionally, attackers with access to network devices can conduct a similar discovery process by utilizing the built-in features or command-line interface to uncover information about linked systems and services.

Exploitation of Remote Services (T1210)

Exploitation of remote services is the process where an attacker takes advantage of a vulnerability in a remote system to gain unauthorized access to it. This access can then be used to move laterally within the network and gain access to other systems and sensitive data. To carry out this attack, an adversary must first determine if the remote system is vulnerable. This can be done by using methods of network service discovery to identify susceptible software, looking for missing patches, or checking for the presence of security software. Many common services and systems are known to have vulnerabilities; if an attacker successfully exploits one of these systems, they may gain access to the network and cause damage. In some cases, the attacker may also be able to escalate their privileges, giving them even greater control over the system.

Replication Through Removable Media (T1091)

Replication through removable media is a technique cyberattackers use to spread malware from one computer to another. This is done by copying the malware onto a removable device, such as a USB drive, and taking advantage of the device’s Autorun feature. The feature was designed to make it easier for users of removable devices to run applications or files without manually locating and executing them.

The malware can infect a target computer when the removable device is inserted and executed. Adversaries use this method to gain access to systems, especially those that are disconnected or have limited access to the internet (also known as air-gapped networks). This can be done through various means, such as modifying the executable files stored on the removable device or disguising the malware as a legitimate file to trick users into executing it. Mobile devices such as smartphones can also be used as a means of spreading malware to PCs. When a smartphone is connected to a computer via USB, it can show up as if it’s a mounted hard drive. If there is malware on the smartphone, the computer can get infected if the Autorun feature is turned on.

Use Alternate Authentication Material (T1550)

When you log in to a system, you usually need to provide a username and some form of authentication, such as a password or a smart card. After successfully logging in, the system generates alternate authentication material, which is used to verify your identity and allow you to access different parts of the system without having to log in again. The system stores this alternate authentication material, but if it’s not adequately secured, it could be stolen by attackers. If this happens, the attackers could bypass normal access controls and log in to the system as you, even if they don’t know your password or other authentication factors. Table 4-16 lists the sub-techniques associated with Use Alternate Authentication Material in the framework.

Automated Collection (T1119)

Automated collection is a technique used by adversaries to gather internal data within a system or network using automated tools. This can involve using command and scripting interpreters to search for and copy information that matches specific criteria, such as file type, location, or name, at set time intervals. In cloud-based environments, adversaries may use cloud APIs; command-line interfaces; or extract, transform, and load (ETL) services to collect data automatically. Adversaries can use this technique to quickly and efficiently collect large amounts of data without manual intervention.

Archive Collected Data (T1560)

When an adversary collects data, they may compress and encrypt it before exfiltrating it from the target system. Compressing the data helps make it more difficult to detect and reduces the amount of data that needs to be transferred over the network. By using compression, an adversary can hide the data among other network traffic, making it less conspicuous. Encryption is another technique adversaries may use to protect the collected information, where the data becomes inaccessible to anyone who does not have the decryption key. This makes it difficult for defenders to detect or make sense of the information if they intercept it. Table 4-17 lists the sub-techniques associated with Archive Collected Data in the framework.

Data from Network Shared Drive (T1039)

When adversaries gain access to a computer system, they often look for ways to find sensitive information that they can use or sell for profit. One way they can do this is by searching for files of interest on the network shares of the compromised computer. If it has access to shared network drives on other systems, the adversaries can use those drives to collect sensitive data. For example, a company might have a file server that stores all of its financial records, and if a threat actor gains access to a computer that can access that file server, they can use it to steal that data.

All of this is done before the adversary attempts to exfiltrate the stolen data, which means they gather the information they want and save it in a location they can access later.

Application Layer Protocol (T1071)

An application layer protocol is a communication protocol that defines how applications communicate with each other over a network. It is a set of rules and standards that determine the format, sequence, and error checking of messages exchanged between applications at the application layer of the open systems interconnection (OSI) model.

Adversaries use application layer protocols to blend in with existing traffic. In other words, to avoid raising suspicion, they use the same protocols that legitimate traffic uses. This means that the commands they send to the remote system and the results of those commands are hidden within the normal traffic of the communication protocol. To achieve this, adversaries may use various protocols, such as those commonly used for web browsing, file transfers, email, or DNS, making it harder to detect their activity. This allows them to conduct their activities in a way that makes them harder to detect. Table 4-18 lists the sub-techniques associated with the Application Layer Protocol in the framework.

Proxy (T1090)

A proxy is an intermediary between a user’s computer and the internet. When a user requests access to a website or other online resource, the request first goes to the proxy server, which sends the request on behalf of the user. In a cyberattack, adversaries may use a connection proxy to redirect network traffic between systems or act as an intermediary for network communications to a C2 server. Various tools enable traffic redirection through proxies or port redirection, including HTRAN, ZXProxy, and ZXPortMap. Adversaries use these resources to manage C2 communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or ride over existing trusted communications paths between victims to avoid suspicion.

Adversaries can take advantage of routing schemes in content delivery networks (CDNs) to proxy C2 traffic. CDNs are used to optimize web content delivery, and attackers can exploit them to route C2 traffic through the same infrastructure already used by legitimate network traffic. This can make it more difficult to detect malicious activity and can help attackers avoid being flagged as malicious by security controls. Table 4-19 lists the sub-techniques associated with Proxy in the framework.

Exfiltration over Alternative Protocol (T1048)

Exfiltration involves sending the stolen data over a different network protocol than the one used for the C2 channel, making it harder for security measures to detect and prevent the exfiltration. Attackers might hide the data or use tools to scramble the information being transmitted to further evade detection. They can use standard computer tools already installed on the system (like Net/Server Message Block (SMB) or FTP), or on macOS and Linux systems, they can use a tool called cURL to send the data out using alternate protocols (like HTTP/S or FTP/S). Table 4-20 lists the sub-techniques associated with Exfiltration over Alternative Protocol in the framework.

Scheduled Transfer (T1029)

When an adversary wants to steal data from a computer network, they might use a technique called scheduled transfer. This means they schedule a specific time or interval to steal the data so it looks like normal activity and is more challenging for security teams to detect. When using this technique, they carefully plan when they will transfer the stolen data to make it blend in with regular activity on the network. For example, an attacker may schedule the data transfer to occur when employees are typically busy sending and receiving large amounts of data, such as during peak business hours. This way, the transfer of the stolen data is less likely to be noticed by security teams monitoring the network.

Furthermore, attackers might use scheduled transfers to avoid setting off any alarms or alerts triggered by unusual activity. If data is being exfiltrated at random intervals, it can look suspicious and draw attention. But by scheduling the transfer, the attacker can make it appear as if the data were just part of regular network traffic.

Transfer Data to Cloud Account (T1537)

A cloud environment is a virtual space where your online data, applications, and systems are stored and accessed. It’s like a digital warehouse where you can keep your files and programs and access them from anywhere with an internet connection. Cloud environments offer several benefits, such as increased accessibility, scalability, and cost-effectiveness. They allow individuals and businesses to store and access data remotely without needing physical storage devices or on-premises servers.

Adversaries are known to utilize these scalable solutions for moving their files and large amounts of data from the target to their controlled cloud environment. They can transfer compromised cloud infrastructures, including their backups, to a different cloud account they control within the same service, making it harder for defenders to detect these anomalies.

Data Encrypted for Impact (T1486)

Data encrypted for impact is a technique in which the attacker encrypts essential files on a computer or network to make them inaccessible. The purpose of this attack could be to demand a ransom from the victim in exchange for a decryption key, or to cause permanent damage to the data. Usually, standard files like documents, pictures, and videos are targeted for encryption, and the attacker may use other methods to gain access to these files, like changing file permissions or shutting down the system. To spread the attack, techniques that allow the malware to infect other computers in the same network may be used, making it harder for defenders to contain the damage.

Endpoint Denial of Service (T1499)

In computing, an endpoint is a device or node connected to a network and capable of communicating with other devices or nodes on the network. Endpoints include computers, laptops, smartphones, servers, printers, and other network-connected devices. Adversaries can perform attacks that deny users access to services by overwhelming or blocking the resources that host those services. Some services that can be targeted include websites, email services, DNS, and web-based applications. Endpoint DoS attacks target different system layers, including the operating system, web servers, databases, and web applications.

Adversaries can use botnets to conduct distributed denial of service (DDoS) attacks. Botnets are large networks of computers that attackers control remotely to generate a significant amount of traffic. Botnets can be created by attackers, or existing botnets can be rented, and they can be so large that each computer only needs to send a small amount of traffic to exhaust the target’s resources. Table 4-21 lists the sub-techniques associated with Endpoint Denial of Service in the framework.

System Shutdown/Reboot (T1529)

Have you ever experienced a situation where your computer suddenly shuts down or restarts without permission? Unfortunately, sometimes malicious people may use these techniques to interrupt access to, or even destroy, computer systems. Operating systems have built-in commands that allow users to initiate a system shutdown or reboot the computer or remote computers connected to the same network. Adversaries can use these commands to disrupt access to computer resources for legitimate users, causing frustration and potentially the loss of important data or services.

What is more concerning is that some adversaries may intentionally impact a system in other ways, like wiping out the disk structure or preventing system recovery, before initiating a system shutdown or reboot, which can accelerate the effects on the system’s availability and make it more difficult for defenders to recover data.