T1490: Inhibit System Recovery
Adversaries may delete or remove built-in data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery. This may deny access to available backups and recovery options.
Operating systems may contain features that can help fix corrupted systems, such as a backup catalog, volume shadow copies, and automatic repair features. Adversaries may disable or delete system recovery features to augment the effects of Data Destruction and Data Encrypted for Impact. Furthermore, adversaries may disable recovery notifications, then corrupt backups.
A number of native Windows utilities have been used by adversaries to disable or delete system recovery features:
vssadmin.exe
can be used to delete all volume shadow copies on a system -vssadmin.exe delete shadows /all /quiet
- Windows Management Instrumentation can be used to delete volume shadow copies -
wmic shadowcopy delete
wbadmin.exe
can be used to delete the Windows Backup Catalog -wbadmin.exe delete catalog -quiet
bcdedit.exe
can be used to disable automatic Windows recovery features by modifying boot configuration data -bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
REAgentC.exe
can be used to disable Windows Recovery Environment (WinRE) repair/recovery options of an infected systemdiskshadow.exe
can be used to delete all volume shadow copies on a system -diskshadow delete shadows all
On network devices, adversaries may leverage Disk Wipe to delete backup firmware images and reformat the file system, then System Shutdown/Reboot to reload the device. Together this activity may leave network devices completely inoperable and inhibit recovery operations.
Adversaries may also delete “online” backups that are connected to their network – whether via network storage media or through folders that sync to cloud services. In cloud environments, adversaries may disable versioning and backup policies and delete snapshots, machine images, and prior versions of objects designed to be used in disaster recovery scenarios.
Positive Technologies products that cover the technique
MaxPatrol SIEM knowledge base
mitre_attck_impact: PT-CR-497: Shadow_Copies_Deletion_with_Builtin_Tools: Detection of attempts to delete the shadow copies of data that is needed to restore Windows
acronis: PT-CR-2239: Acronis_Mass_Drop_Machine_or_Backup_Plan: Attempt to delete multiple backups
Detection
ID | DS0009 | Data source and component | Process: Process Creation | Description | Use process monitoring to monitor the execution and command line parameters of binaries involved in inhibiting system recovery, such as Analytic 1 - Detecting Shadow Copy Deletion or Resize
Analytic 2 - BCDEdit Failure Recovery Modification
|
---|
ID | DS0024 | Data source and component | Windows Registry: Windows Registry Key Modification | Description | Monitor the registry for changes associated with system recovery features (ex: the creation of |
---|
ID | DS0017 | Data source and component | Command: Command Execution | Description | Use process monitoring to monitor the execution and command line parameters of binaries involved in inhibiting system recovery, such as |
---|
ID | DS0020 | Data source and component | Snapshot: Snapshot Deletion | Description | Monitor for unexpected deletion of snapshots (ex: AWS |
---|
ID | DS0010 | Data source and component | Cloud Storage: Cloud Storage Deletion | Description | Monitor for unexpected deletion of a cloud storage objects (ex: AWS |
---|
ID | DS0019 | Data source and component | Service: Service Metadata | Description | Monitor the status of services involved in system recovery. Note: For Windows, Event ID 7040 can be used to alert on changes to the start type of a service (e.g., going from enabled at startup to disabled) associated with system recovery. |
---|
ID | DS0022 | Data source and component | File: File Deletion | Description | The Windows event logs, ex. Event ID 524 indicating a system catalog was deleted, may contain entries associated with suspicious activity. |
---|
Mitigation
ID | M1038 | Name | Execution Prevention | Description | Consider using application control configured to block execution of utilities such as |
---|
ID | M1028 | Name | Operating System Configuration | Description | Consider technical controls to prevent the disabling of services or deletion of files involved in system recovery. Additionally, ensure that WinRE is enabled using the following command: |
---|
ID | M1018 | Name | User Account Management | Description | Limit the user accounts that have access to backups to only those required. |
---|
ID | M1053 | Name | Data Backup | Description | Consider implementing IT disaster recovery plans that contain procedures for taking regular data backups that can be used to restore organizational data. Ensure backups are stored off system and is protected from common methods adversaries may use to gain access and destroy the backups to prevent recovery. In cloud environments, enable versioning on storage objects where possible, and copy backups to other accounts or regions to isolate them from the original copies. |
---|