Infrastructure Layer

Shutdown Attack

The Shutdown Gremlin issues a system call to shutdown the operating system on which the target is running on (and optionally start it back up).


The Shutdown Gremlin issues a reboot Linux syscall. See: reboot(2)

When this attack is run against a host, this syscall behaves just as if you issued a reboot from the command line. It is considered a graceful shutdown in that it will issue a SIGTERM to all running processes, giving them a chance to terminate cleanly.

When this attack is run against a container, otherwise known as a nested PID namespace, this syscall terminates the processes immediately with a SIGKILL. See: pid_namespaces(7)

This Gremlin requires the SYS_BOOT capability, which is enabled for Gremlin by default at installation time. See capabilities(7)


The Shutdown Gremlin issues an ExitWindowsEx API call. Before shutting down, this system call sends the WM_QUERYENDSESSION message to all applications to determine if they can be terminated.


Delay-d intFalse10.0.1The number of minutes to delay before shutting down.
Reboot-rFalseTrue0.0.1Indicates the host should reboot after shutting down.