shutdown system

rule:
  meta:
    name: shutdown system
    namespace: host-interaction/os
    authors:
      - michael.hunhoff@mandiant.com
    scopes:
      static: function
      dynamic: call
    att&ck:
      - Impact::System Shutdown/Reboot [T1529]
    examples:
      - 39C05B15E9834AC93F206BC114D0A00C357C888DB567BA8F5345DA0529CBED41:0x10008D60
  features:
    - or:
      - api: user32.ExitWindowsEx
      - api: user32.ExitWindows
      - api: advapi32.InitiateSystemShutdownEx
      - api: advapi32.InitiateSystemShutdown
      - api: advapi32.InitiateShutdown