MaxPatrol SIEM

Detects cyberincidents that undermine cyber resilience of a company

T1490: Inhibit System Recovery

Adversaries may delete or remove built-in data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery. This may deny access to available backups and recovery options.

Operating systems may contain features that can help fix corrupted systems, such as a backup catalog, volume shadow copies, and automatic repair features. Adversaries may disable or delete system recovery features to augment the effects of Data Destruction and Data Encrypted for Impact. Furthermore, adversaries may disable recovery notifications, then corrupt backups.

A number of native Windows utilities have been used by adversaries to disable or delete system recovery features:

  • vssadmin.exe can be used to delete all volume shadow copies on a system - vssadmin.exe delete shadows /all /quiet
  • Windows Management Instrumentation can be used to delete volume shadow copies - wmic shadowcopy delete
  • wbadmin.exe can be used to delete the Windows Backup Catalog - wbadmin.exe delete catalog -quiet
  • bcdedit.exe can be used to disable automatic Windows recovery features by modifying boot configuration data - bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
  • REAgentC.exe can be used to disable Windows Recovery Environment (WinRE) repair/recovery options of an infected system
  • diskshadow.exe can be used to delete all volume shadow copies on a system - diskshadow delete shadows all

On network devices, adversaries may leverage Disk Wipe to delete backup firmware images and reformat the file system, then System Shutdown/Reboot to reload the device. Together this activity may leave network devices completely inoperable and inhibit recovery operations.

Adversaries may also delete “online” backups that are connected to their network – whether via network storage media or through folders that sync to cloud services. In cloud environments, adversaries may disable versioning and backup policies and delete snapshots, machine images, and prior versions of objects designed to be used in disaster recovery scenarios.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

mitre_attck_impact: PT-CR-497: Shadow_Copies_Deletion_with_Builtin_Tools: Detection of attempts to delete the shadow copies of data that is needed to restore Windows
acronis: PT-CR-2239: Acronis_Mass_Drop_Machine_or_Backup_Plan: Attempt to delete multiple backups

Detection

IDDS0009Data source and componentProcess: Process CreationDescription

Use process monitoring to monitor the execution and command line parameters of binaries involved in inhibiting system recovery, such as vssadmin, wbadmin, and bcdedit. After compromising a network of systems, threat actors often try to delete/resize Shadow Copy in an attempt to prevent administrators from restoring the systems to versions present before the attack. This is often done via vssadmin, a legitimate Windows tool to interact with shadow copies. This action is often employed by ransomware, may lead to a failure in recovering systems after an attack. The pseudo code detection focus on Windows Security and Sysmon process creation (4688 and 1). The use of wmic to delete shadow copy generates WMI-Activity Operationnal 5857 event and could generate 5858 (if the operation fails). These 2 EventIDs could be interesting when attackers use wmic without process creation and/or for forensics.

Analytic 1 - Detecting Shadow Copy Deletion or Resize

(source="*WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="*WinEventLog:Security" EventCode="4688")(CommandLine="vssadmin delete shadows" OR CommandLine="wmic shadowcopy delete" OR CommandLine="vssadmin resize shadowstorage")) OR (EventCode="5857" ProviderName="MSVSS__PROVIDER") OR (EventCode="5858" Operation="Win32_ShadowCopy")

Analytic 2 - BCDEdit Failure Recovery Modification

(source="*WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="*WinEventLog:Security" EventCode="4688") Image= "C:\Windows\System32\bcdedit.exe" AND CommandLine="recoveryenabled"

IDDS0024Data source and componentWindows Registry: Windows Registry Key ModificationDescription

Monitor the registry for changes associated with system recovery features (ex: the creation of HKEY_CURRENT_USER\Software\Policies\Microsoft\PreviousVersions\DisableLocalPage).

IDDS0017Data source and componentCommand: Command ExecutionDescription

Use process monitoring to monitor the execution and command line parameters of binaries involved in inhibiting system recovery, such as vssadmin, wbadmin, and bcdedit.

IDDS0020Data source and componentSnapshot: Snapshot DeletionDescription

Monitor for unexpected deletion of snapshots (ex: AWS delete-snapshot), especially those associated with cloud backups.

IDDS0010Data source and componentCloud Storage: Cloud Storage DeletionDescription

Monitor for unexpected deletion of a cloud storage objects (ex: AWS delete-object), especially those associated with cloud backups.

IDDS0019Data source and componentService: Service MetadataDescription

Monitor the status of services involved in system recovery.

Note: For Windows, Event ID 7040 can be used to alert on changes to the start type of a service (e.g., going from enabled at startup to disabled) associated with system recovery.

IDDS0022Data source and componentFile: File DeletionDescription

The Windows event logs, ex. Event ID 524 indicating a system catalog was deleted, may contain entries associated with suspicious activity.

Mitigation

IDM1038NameExecution PreventionDescription

Consider using application control configured to block execution of utilities such as diskshadow.exe that may not be required for a given system or network to prevent potential misuse by adversaries.

IDM1028NameOperating System ConfigurationDescription

Consider technical controls to prevent the disabling of services or deletion of files involved in system recovery. Additionally, ensure that WinRE is enabled using the following command: reagentc /enable.

IDM1018NameUser Account ManagementDescription

Limit the user accounts that have access to backups to only those required.

IDM1053NameData BackupDescription

Consider implementing IT disaster recovery plans that contain procedures for taking regular data backups that can be used to restore organizational data. Ensure backups are stored off system and is protected from common methods adversaries may use to gain access and destroy the backups to prevent recovery. In cloud environments, enable versioning on storage objects where possible, and copy backups to other accounts or regions to isolate them from the original copies.