Infrastructure Layer

Shutdown Attack

The Shutdown Gremlin issues a system call to shut down or reboot the operating system on which the target is running on.

Reboot Behavior

Gremlin's reboot flag allows you to optionally tell Gremlin to "restart" target systems instead of shutting them down. Gremlin does not perform any validation upon target system startup after issuing a reboot. It's possible target systems never actually start back up due to the constraints within which they run. For example, issuing a reboot against target containers may trigger those containers to be reaped. This is common behavior in Kubernetes.


The Shutdown Gremlin issues a reboot Linux syscall. See: reboot(2)

When this attack is run against a host, this syscall behaves just as if you issued a reboot from the command line. It is considered a graceful shutdown in that it will issue a SIGTERM to all running processes, giving them a chance to terminate cleanly.

When this attack is run against a container, otherwise known as a nested PID namespace, this syscall terminates the processes immediately with a SIGKILL. See: pid_namespaces(7)

This Gremlin requires the SYS_BOOT capability, which is enabled for Gremlin by default at installation time. See capabilities(7)


The Shutdown Gremlin issues an ExitWindowsEx API call. Before shutting down, this system call sends the WM_QUERYENDSESSION message to all applications to determine if they can be terminated.


Delay-d intFalse10.0.1The number of minutes to delay before shutting down.
Reboot-rFalseTrue0.0.1Indicates the host should reboot after shutting down. NOTE: Gremlin does not verify that the target system starts back up.