T1490: Inhibit System Recovery

Data from MITRE ATT&CK®:

Adversaries may delete or remove built-in data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017) This may deny access to available backups and recovery options.

Operating systems may contain features that can help fix corrupted systems, such as a backup catalog, volume shadow copies, and automatic repair features. Adversaries may disable or delete system recovery features to augment the effects of Data Destruction and Data Encrypted for Impact.(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017) Furthermore, adversaries may disable recovery notifications, then corrupt backups.(Citation: disable_notif_synology_ransom)

A number of native Windows utilities have been used by adversaries to disable or delete system recovery features:

• vssadmin.exe can be used to delete all volume shadow copies on a system - vssadmin.exe delete shadows /all /quiet
• Windows Management Instrumentation can be used to delete volume shadow copies - wmic shadowcopy delete
• wbadmin.exe can be used to delete the Windows Backup Catalog - wbadmin.exe delete catalog -quiet
• bcdedit.exe can be used to disable automatic Windows recovery features by modifying boot configuration data - bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
• REAgentC.exe can be used to disable Windows Recovery Environment (WinRE) repair/recovery options of an infected system

On network devices, adversaries may leverage Disk Wipe to delete backup firmware images and reformat the file system, then System Shutdown/Reboot to reload the device. Together this activity may leave network devices completely inoperable and inhibit recovery operations.

Adversaries may also delete “online” backups that are connected to their network – whether via network storage media or through folders that sync to cloud services.(Citation: ZDNet Ransomware Backups 2020) In cloud environments, adversaries may disable versioning and backup policies and delete snapshots, machine images, and prior versions of objects designed to be used in disaster recovery scenarios.(Citation: Dark Reading Code Spaces Cyber Attack)(Citation: Rhino Security Labs AWS S3 Ransomware)

© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

Operating System Configuration

Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.

User Account Management

Manage the creation, modification, use, and permissions associated to user accounts.

Data Backup

Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise.

Command Execution (Command)

The execution of a line of text, potentially with arguments, created from program code (e.g. a cmdlet executed via powershell.exe, interactive commands like >dir, shell executions, etc. )

File Deletion (File)

Removal of a file (ex: Sysmon EID 23, macOS ESF EID ES_EVENT_TYPE_AUTH_UNLINK, or Linux commands auditd unlink, rename, rmdir, unlinked, or renameat rules)

Windows Registry Key Modification (Windows Registry)

Changes made to a Registry Key and/or Key value (ex: Windows EID 4657 or Sysmon EID 13|14)

Service Metadata (Service)

Contextual data about a service/daemon, which may include information such as name, service executable, start type, etc.

Snapshot Deletion (Snapshot)

Removal of a snapshot (ex: AWS delete-snapshot)

Process Creation (Process)

The initial construction of an executable managed by the OS, that may involve one or more tasks or threads. (e.g. Win EID 4688, Sysmon EID 1, cmd.exe > net use, etc.)

Cloud Storage Deletion (Cloud Storage)

Removal of cloud storage infrastructure (ex: AWS S3 DeleteBucket)

Windows - Delete Backup Files

windows

Windows - Disable Windows Recovery Console Repair

windows

Windows - Disable the SR scheduled task

windows

Disable Time Machine

macos

Windows - Delete Volume Shadow Copies via WMI

windows

Modify VSS Service Permissions

windows

Windows - vssadmin Resize Shadowstorage Volume

windows

Disable System Restore Through Registry

windows

Windows - Delete Volume Shadow Copies via WMI with PowerShell

windows

Windows - Delete Volume Shadow Copies

windows

Windows - wbadmin Delete systemstatebackup

windows

Windows - wbadmin Delete Windows Backup Catalog

windows

Delete Volume Shadow Copies via WMI with PowerShell - PS Script

windows ps script

Sensitive File Access Via Volume Shadow Copy Backup

windows process creation

Delete Volume Shadow Copies Via WMI With PowerShell

windows ps classic start

Suspicious Volume Shadow Copy Vsstrace.dll Load

windows image load

Copy From VolumeShadowCopy Via Cmd.EXE

windows process creation

Shadow Copies Deletion Using Operating Systems Utilities

windows process creation

Backup Files Deleted

windows file delete

Suspicious Volume Shadow Copy Vssapi.dll Load

windows image load

SystemStateBackup Deleted Using Wbadmin.EXE

windows process creation

New Root or CA or AuthRoot Certificate to Store

windows registry set

Registry Disable System Restore

windows registry set

Cisco Modify Configuration

cisco

Boot Configuration Tampering Via Bcdedit.EXE

windows process creation

Deletion of Volume Shadow Copies via WMI with PowerShell - PS Script

windows ps script

Suspicious Volume Shadow Copy VSS_PS.dll Load

windows image load

Deletion of Volume Shadow Copies via WMI with PowerShell

windows process creation

AWS S3 Bucket Versioning Disable

aws