Which SIEM platforms have a T1490 detection rule?

df00tech provides T1490 (Inhibit System Recovery) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Inhibit System Recovery (T1490)?

Detecting Inhibit System Recovery requires the following data sources: Process: Process Creation, Command: Command Execution, Microsoft Defender for Endpoint.

What severity and confidence is the T1490 detection?

The T1490 detection is rated high severity with high confidence.

What are common false positives for T1490?

Common false positives for T1490 include: Backup software agents (Veeam, Acronis, Veritas) that manage VSS snapshots as part of their own backup rotation — typically run under dedicated service accounts from known installation paths; System administrators manually reclaiming disk space by deleting old shadow copies on storage-constrained systems; IT operations scripts that adjust BCD settings during OS migration, sysprep, or imaging workflows.

T1490

Inhibit System Recovery

Impact Last updated: April 13, 2026

Adversaries may delete or remove built-in data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery. This includes deleting Volume Shadow Copies (VSS), disabling Windows Recovery Environment (WinRE), clearing backup catalogs, and modifying Boot Configuration Data (BCD). This technique is almost universally observed as a pre-encryption step in ransomware attacks, executed within seconds to minutes before the encryption payload is launched. Real-world ransomware families including Ryuk, Black Basta, Medusa, RobbinHood, WastedLocker, EKANS, and Ragnar Locker all employ this technique to maximize the irreversibility of damage.

What is T1490 Inhibit System Recovery?

Inhibit System Recovery (T1490) maps to the Impact tactic — the adversary is trying to manipulate, interrupt, or destroy your systems and data in MITRE ATT&CK.

This page provides production-ready detection logic for Inhibit System Recovery, covering the data sources and telemetry it touches: Process: Process Creation, Command: Command Execution, Microsoft Defender for Endpoint. The queries below are rated high severity at high confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic: Impact
Technique: T1490 Inhibit System Recovery
Canonical reference: https://attack.mitre.org/techniques/T1490/

Microsoft Sentinel / Defender

kusto

let RecoveryInhibitPatterns = dynamic([
  "delete shadows", "delete catalog", "shadowcopy delete", "delete shadow",
  "recoveryenabled no", "bootstatuspolicy ignoreallfailures",
  "resize shadowstorage", "diskshadow",
  "reagentc"
]);
let ShadowDeleteBinaries = dynamic(["vssadmin.exe", "wmic.exe", "diskshadow.exe", "wbadmin.exe"]);
let BcdEditBinary = dynamic(["bcdedit.exe"]);
let ReagentBinary = dynamic(["reagentc.exe"]);
// VSS and backup catalog deletion
let ShadowDeletes = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ (ShadowDeleteBinaries)
| where ProcessCommandLine has_any (RecoveryInhibitPatterns)
| extend TechniqueCategory = case(
    ProcessCommandLine has_any ("delete shadows", "delete shadow", "shadowcopy delete"), "VSS_Delete",
    ProcessCommandLine has "delete catalog", "BackupCatalog_Delete",
    ProcessCommandLine has "resize shadowstorage", "VSS_Resize",
    "Other"
  )
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine, TechniqueCategory;
// BCD boot recovery disable
let BcdDisable = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ (BcdEditBinary)
| where ProcessCommandLine has_any ("recoveryenabled", "bootstatuspolicy", "safeboot")
| extend TechniqueCategory = "BCD_Recovery_Disable"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine, TechniqueCategory;
// WinRE disable via REAgentC
let WinREDisable = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "reagentc.exe"
| where ProcessCommandLine has_any ("/disable", "-disable")
| extend TechniqueCategory = "WinRE_Disable"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine, TechniqueCategory;
ShadowDeletes
| union BcdDisable
| union WinREDisable
| sort by Timestamp desc

Detects attempts to inhibit system recovery using native Windows utilities. Monitors for Volume Shadow Copy deletion via vssadmin.exe, wmic.exe, and diskshadow.exe; backup catalog deletion via wbadmin.exe; Boot Configuration Data (BCD) modification to disable recovery mode via bcdedit.exe; and Windows Recovery Environment disabling via reagentc.exe. Uses a union of three sub-queries to categorize each technique variant. Covers all primary ransomware pre-encryption patterns observed in Ryuk, Black Basta, Medusa, RobbinHood, EKANS, and WastedLocker campaigns.

high severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

Backup software agents (Veeam, Acronis, Veritas) that manage VSS snapshots as part of their own backup rotation — typically run under dedicated service accounts from known installation paths
System administrators manually reclaiming disk space by deleting old shadow copies on storage-constrained systems
IT operations scripts that adjust BCD settings during OS migration, sysprep, or imaging workflows
Disaster recovery testing procedures that exercise backup and recovery tools in controlled maintenance windows
Windows Update and major feature updates that temporarily modify BCD settings during staged upgrades

Splunk

spl

index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1)
  (Image="*\\vssadmin.exe" OR Image="*\\wmic.exe" OR Image="*\\diskshadow.exe" OR
   Image="*\\wbadmin.exe" OR Image="*\\bcdedit.exe" OR Image="*\\reagentc.exe")
| eval CommandLineLower=lower(CommandLine)
| eval VSSDelete=if(match(CommandLineLower, "(delete shadows|delete shadow|shadowcopy delete|delete shadows /all)"), 1, 0)
| eval VSSShadowCopy=if(match(CommandLineLower, "(shadowcopy.*delete|delete.*shadowcopy)"), 1, 0)
| eval BackupCatalogDelete=if(match(CommandLineLower, "delete catalog"), 1, 0)
| eval VSSResize=if(match(CommandLineLower, "resize shadowstorage"), 1, 0)
| eval BCDRecoveryDisable=if(match(CommandLineLower, "(recoveryenabled.*no|bootstatuspolicy.*ignoreallfailures|safeboot)"), 1, 0)
| eval WinREDisable=if(match(CommandLineLower, "reagentc.*(disable|-disable|/disable)"), 1, 0)
| eval DiskShadowDelete=if(match(CommandLineLower, "diskshadow.*(delete|shadow)"), 1, 0)
| eval RecoveryInhibitScore=VSSDelete + VSSShadowCopy + BackupCatalogDelete + VSSResize + BCDRecoveryDisable + WinREDisable + DiskShadowDelete
| where RecoveryInhibitScore > 0
| eval TechniqueCategory=case(
    VSSDelete=1 OR VSSShadowCopy=1, "VSS_Delete",
    BackupCatalogDelete=1, "BackupCatalog_Delete",
    VSSResize=1, "VSS_Resize_Attack",
    BCDRecoveryDisable=1, "BCD_Recovery_Disable",
    WinREDisable=1, "WinRE_Disable",
    DiskShadowDelete=1, "DiskShadow_Delete",
    true(), "Other_Recovery_Inhibit"
  )
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, TechniqueCategory, RecoveryInhibitScore
| sort - _time

Detects system recovery inhibition using Sysmon Event ID 1 (Process Creation) logs. Evaluates command lines against all known recovery-inhibiting patterns including VSS deletion (vssadmin, wmic, diskshadow), backup catalog deletion (wbadmin), BCD modification to disable recovery (bcdedit), and WinRE disabling (reagentc). Assigns a RecoveryInhibitScore and categorizes the specific technique variant. High score or multiple indicators fired simultaneously is a strong ransomware pre-encryption signal.

high severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Backup software agents (Veeam, Acronis, Veritas) that manage VSS snapshots as part of their own backup rotation — typically run under dedicated service accounts from known installation paths
System administrators manually reclaiming disk space by deleting old shadow copies on storage-constrained systems
IT operations scripts that adjust BCD settings during OS migration, sysprep, or imaging workflows
Disaster recovery testing procedures that exercise backup and recovery tools in controlled maintenance windows
Windows Update and major feature updates that temporarily modify BCD settings during staged upgrades

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  sourceip AS HostIP,
  username AS UserName,
  "ProcessPath" AS ProcessImage,
  "CommandLine" AS CommandLine,
  "ParentImage" AS ParentProcess,
  LOGSOURCENAME(logsourceid) AS LogSource,
  CATEGORYNAME(category) AS EventCategory
FROM events
WHERE (
  LOGSOURCETYPEID(logsourceid) = 12
  OR LOGSOURCETYPEID(logsourceid) = 392
)
AND (
  LOWER("ProcessPath") LIKE '%vssadmin.exe'
  OR LOWER("ProcessPath") LIKE '%wmic.exe'
  OR LOWER("ProcessPath") LIKE '%diskshadow.exe'
  OR LOWER("ProcessPath") LIKE '%wbadmin.exe'
  OR LOWER("ProcessPath") LIKE '%bcdedit.exe'
  OR LOWER("ProcessPath") LIKE '%reagentc.exe'
)
AND (
  LOWER("CommandLine") LIKE '%delete shadows%'
  OR LOWER("CommandLine") LIKE '%delete shadow %'
  OR LOWER("CommandLine") LIKE '%shadowcopy delete%'
  OR LOWER("CommandLine") LIKE '%delete catalog%'
  OR LOWER("CommandLine") LIKE '%resize shadowstorage%'
  OR LOWER("CommandLine") LIKE '%recoveryenabled%'
  OR LOWER("CommandLine") LIKE '%bootstatuspolicy%'
  OR LOWER("CommandLine") LIKE '%safeboot%'
  OR (
    LOWER("ProcessPath") LIKE '%reagentc.exe'
    AND (
      LOWER("CommandLine") LIKE '%/disable%'
      OR LOWER("CommandLine") LIKE '%-disable%'
    )
  )
)
ORDER BY starttime DESC
LAST 24 HOURS

QRadar AQL query detecting T1490 Inhibit System Recovery by querying process execution events from Windows Security (LOGSOURCETYPEID 12) and Sysmon (LOGSOURCETYPEID 392) log sources. Matches the known set of recovery inhibition binaries executing with command-line arguments indicative of VSS deletion, backup catalog removal, shadow storage resizing, BCD modification, or WinRE disabling.

critical severity high confidence

Data Sources

Windows Security Event Log (EventID 4688 with process command-line auditing enabled via Group Policy) Microsoft Sysmon EventID 1 ingested via the Sysmon DSM

Required Tables

events

False Positives

Enterprise backup agents (NetBackup, Commvault, Windows Server Backup) that run vssadmin or wbadmin under service accounts to manage shadow copy quotas during scheduled backup windows
Infrastructure automation scripts used by storage or cloud teams to resize shadowstorage allocations during planned disk capacity expansion operations
Security operations teams running authorized breach-and-attack simulation (BAS) or red team exercises that include T1490 atomic test execution in isolated environments

Sumo Logic CSE

sql

(_sourceCategory=*windows* OR _sourceCategory=*sysmon* OR _sourceCategory=*WinEventLog*)
| where EventID = "1" or EventCode = "1"
| where Image matches "(?i).*(vssadmin|wmic|diskshadow|wbadmin|bcdedit|reagentc)\.exe$"
| where CommandLine matches "(?i).*(delete\\s+shadows|delete\\s+shadow\\s|shadowcopy\\s+delete|delete\\s+catalog|resize\\s+shadowstorage|recoveryenabled|bootstatuspolicy|safeboot|\/disable|-disable).*"
| eval TechniqueCategory = if(
    CommandLine matches "(?i).*(delete\\s+shadows|shadowcopy\\s+delete)", "VSS_Delete",
    if(CommandLine matches "(?i).*delete\\s+catalog", "BackupCatalog_Delete",
    if(CommandLine matches "(?i).*resize\\s+shadowstorage", "VSS_Resize",
    if(CommandLine matches "(?i).*(recoveryenabled|bootstatuspolicy|safeboot)", "BCD_Recovery_Disable",
    if(CommandLine matches "(?i).*reagentc.*disable", "WinRE_Disable", "Other_Recovery_Inhibit")))))
| fields _messageTime, Computer, User, Image, CommandLine, ParentImage, TechniqueCategory
| sort by _messageTime desc

Sumo Logic query detecting T1490 Inhibit System Recovery via Sysmon EventID 1 process creation events. Matches recovery inhibition binaries (vssadmin, wmic, diskshadow, wbadmin, bcdedit, reagentc) executing with arguments for VSS deletion, backup catalog removal, shadow storage resizing, BCD modification, and WinRE disabling via reagentc. Results are categorized by sub-technique type.

critical severity high confidence

Data Sources

Sysmon EventID 1 (Process Create) via Windows Event Collector or Sumo Logic collector Windows Security EventID 4688 with process command-line auditing enabled via auditpol

Required Tables

_sourceCategory=*sysmon* _sourceCategory=*windows* _sourceCategory=*WinEventLog*

False Positives

Veeam, Acronis, or similar enterprise backup platforms that periodically invoke vssadmin resize shadowstorage to manage snapshot allocation sizes on high-throughput servers
IT operations runbooks that disable WinRE on servers where OS recovery is handled entirely via PXE boot or external bare-metal restore tooling rather than the local recovery partition
Disk optimization or storage management utilities executed by infrastructure teams that interact with VSS as part of deduplication or thin-provisioning workflows

Google Chronicle / SecOps

yaral

rule t1490_inhibit_system_recovery {
  meta:
    author = "Detection Engineering"
    description = "Detects T1490 Inhibit System Recovery: VSS shadow copy deletion, BCD recovery disable, WinRE disable via reagentc"
    reference = "https://attack.mitre.org/techniques/T1490/"
    severity = "CRITICAL"
    priority = "HIGH"
    mitre_attack_tactic = "Impact"
    mitre_attack_technique = "T1490"
    false_positives = "Enterprise backup software, DR testing, storage management scripts"
    version = "1.0"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      re.regex($e.target.process.file.full_path, `(?i)(vssadmin|wmic|diskshadow|wbadmin|bcdedit|reagentc)\.exe$`) or
      re.regex($e.target.process.file.short_name, `(?i)^(vssadmin|wmic|diskshadow|wbadmin|bcdedit|reagentc)\.exe$`)
    )
    (
      re.regex($e.target.process.command_line, `(?i)(delete[\s]+shadows|delete[\s]+shadow[\s]|shadowcopy[\s]+delete|delete[\s]+catalog|resize[\s]+shadowstorage)`) or
      re.regex($e.target.process.command_line, `(?i)(recoveryenabled[\s]+no|bootstatuspolicy[\s]+ignoreallfailures|safeboot)`) or
      (
        re.regex($e.target.process.file.full_path, `(?i)reagentc\.exe$`) and
        re.regex($e.target.process.command_line, `(?i)(\/disable|\-disable)`)
      )
    )

  condition:
    $e
}

Chronicle YARA-L 2.0 rule detecting T1490 Inhibit System Recovery using UDM PROCESS_LAUNCH events. Matches process launches where the target binary is a known recovery inhibition utility and the command line contains arguments for VSS deletion, backup catalog removal, shadow storage resizing, BCD modification, or WinRE disabling. Dual-field matching on full_path and short_name increases resilience against path variation.

critical severity high confidence

Data Sources

Google Chronicle UDM PROCESS_LAUNCH events from Windows endpoints via Chronicle forwarder, Sysmon, or EDR telemetry (CrowdStrike, SentinelOne, Carbon Black)

Required Tables

UDM events with metadata.event_type = PROCESS_LAUNCH

False Positives

Enterprise backup platforms (Veeam, Commvault, Zerto) that automate VSS management via vssadmin or wbadmin service accounts as part of nightly or incremental backup schedules
Cloud or hypervisor migration tools (Azure Migrate, VMware Converter) that disable WinRE and modify BCD settings when converting physical machines to virtual machine images
Authorized red team or breach-and-attack simulation exercises performing MITRE ATT&CK T1490 atomic tests in pre-approved isolated test environments

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| FileName = /(?i)(vssadmin|wmic|diskshadow|wbadmin|bcdedit|reagentc)\.exe/
| CommandLine = /(?i)(delete\s+shadows|delete\s+shadow\s|shadowcopy\s+delete|delete\s+catalog|resize\s+shadowstorage|recoveryenabled|bootstatuspolicy|safeboot|\/disable|-disable)/
| TechniqueCategory := case {
    CommandLine = /(?i)(delete\s+shadows|shadowcopy\s+delete)/ => "VSS_Delete" ;
    CommandLine = /(?i)delete\s+catalog/ => "BackupCatalog_Delete" ;
    CommandLine = /(?i)resize\s+shadowstorage/ => "VSS_Resize" ;
    CommandLine = /(?i)(recoveryenabled|bootstatuspolicy|safeboot)/ => "BCD_Recovery_Disable" ;
    FileName = /(?i)reagentc\.exe/ AND CommandLine = /(?i)(disable)/ => "WinRE_Disable" ;
    * => "Other_Recovery_Inhibit"
  }
| table([timestamp, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, TechniqueCategory])
| sort(timestamp, order=desc)

CrowdStrike LogScale (Falcon) query detecting T1490 Inhibit System Recovery using ProcessRollup2 sensor events from endpoints with the Falcon sensor deployed. Matches the known recovery inhibition binary set executing with command-line arguments for VSS deletion, backup catalog removal, shadow storage resizing, BCD modification, and WinRE disabling. Results are tagged with a TechniqueCategory field for triage prioritization.

critical severity high confidence

Data Sources

CrowdStrike Falcon EDR - ProcessRollup2 events from Windows endpoints with Falcon sensor deployed and full command-line capture enabled

Required Tables

#event_simpleName=ProcessRollup2

False Positives

Veeam, Acronis, or other enterprise backup agents running under designated service accounts that invoke vssadmin or wbadmin to manage snapshot storage as part of automated backup schedules
Windows operating system in-place upgrade processes (Windows Setup) that temporarily disable WinRE or modify BCD configuration entries during major OS version upgrades
Storage capacity management automation scripts executed by infrastructure teams to resize shadow copy storage allocations on high-throughput file servers or database hosts

Sigma rule & cross-platform mapping

The detection logic for Inhibit System Recovery (T1490) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource:

logsource:
  category: process_creation
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for T1490 Sigma rules on detection.fyi

Platform-specific guides for T1490

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)

Last updated: 2026-04-13 Research depth: deep

References (10)

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1VSS Shadow Copy Deletion via vssadmin
Expected signal: Sysmon Event ID 1: Process Create with Image=vssadmin.exe, CommandLine='vssadmin.exe delete shadows /all /quiet'. Security Event ID 4688 (if command line auditing enabled) with same details. Microsoft-Windows-Volume-Shadow-Copy/Operational Event ID 8194 on deletion attempt.
Test 2VSS Shadow Copy Deletion via WMI
Expected signal: Sysmon Event ID 1: Process Create with Image=wmic.exe, CommandLine='wmic shadowcopy delete'. Security Event ID 4688 with same details. WMI activity logs in Microsoft-Windows-WMI-Activity/Operational.
Test 3Boot Recovery Disable via bcdedit
Expected signal: Two Sysmon Event ID 1 events: first with CommandLine='bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures', second with CommandLine='bcdedit.exe /set {default} recoveryenabled no'. Security Event ID 4688 for each. Both events fire within milliseconds of each other from the same parent.
Test 4Windows Backup Catalog Deletion via wbadmin
Expected signal: Sysmon Event ID 1: Process Create with Image=wbadmin.exe, CommandLine='wbadmin.exe delete catalog -quiet'. Security Event ID 4688 with same details. Microsoft-Windows-Backup event log will record the catalog deletion operation.
Test 5Ryuk-style VSS Storage Resize to Force Deletion
Expected signal: Sysmon Event ID 1: Process Create with Image=vssadmin.exe, CommandLine containing 'resize shadowstorage' and '/maxsize=401MB'. Microsoft-Windows-Volume-Shadow-Copy/Operational events as Windows responds to the reduced quota by discarding existing shadow copies.

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1490 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Inhibit System Recovery

What is T1490 Inhibit System Recovery?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1490

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Tactic Hub

Related Techniques

Same Tactic: Impact

Popular Detections

What is T1490 Inhibit System Recovery?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1490

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hub

Related Techniques

Same Tactic: Impact

Popular Detections

Get new detections in your inbox