T1490 Inhibit System Recovery Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let RecoveryInhibitPatterns = dynamic([
  "delete shadows", "delete catalog", "shadowcopy delete", "delete shadow",
  "recoveryenabled no", "bootstatuspolicy ignoreallfailures",
  "resize shadowstorage", "diskshadow",
  "reagentc"
]);
let ShadowDeleteBinaries = dynamic(["vssadmin.exe", "wmic.exe", "diskshadow.exe", "wbadmin.exe"]);
let BcdEditBinary = dynamic(["bcdedit.exe"]);
let ReagentBinary = dynamic(["reagentc.exe"]);
// VSS and backup catalog deletion
let ShadowDeletes = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ (ShadowDeleteBinaries)
| where ProcessCommandLine has_any (RecoveryInhibitPatterns)
| extend TechniqueCategory = case(
    ProcessCommandLine has_any ("delete shadows", "delete shadow", "shadowcopy delete"), "VSS_Delete",
    ProcessCommandLine has "delete catalog", "BackupCatalog_Delete",
    ProcessCommandLine has "resize shadowstorage", "VSS_Resize",
    "Other"
  )
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine, TechniqueCategory;
// BCD boot recovery disable
let BcdDisable = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ (BcdEditBinary)
| where ProcessCommandLine has_any ("recoveryenabled", "bootstatuspolicy", "safeboot")
| extend TechniqueCategory = "BCD_Recovery_Disable"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine, TechniqueCategory;
// WinRE disable via REAgentC
let WinREDisable = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "reagentc.exe"
| where ProcessCommandLine has_any ("/disable", "-disable")
| extend TechniqueCategory = "WinRE_Disable"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine, TechniqueCategory;
ShadowDeletes
| union BcdDisable
| union WinREDisable
| sort by Timestamp desc

high severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

Backup software agents (Veeam, Acronis, Veritas) that manage VSS snapshots as part of their own backup rotation — typically run under dedicated service accounts from known installation paths
System administrators manually reclaiming disk space by deleting old shadow copies on storage-constrained systems
IT operations scripts that adjust BCD settings during OS migration, sysprep, or imaging workflows
Disaster recovery testing procedures that exercise backup and recovery tools in controlled maintenance windows
Windows Update and major feature updates that temporarily modify BCD settings during staged upgrades

Splunk

spl

index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1)
  (Image="*\\vssadmin.exe" OR Image="*\\wmic.exe" OR Image="*\\diskshadow.exe" OR
   Image="*\\wbadmin.exe" OR Image="*\\bcdedit.exe" OR Image="*\\reagentc.exe")
| eval CommandLineLower=lower(CommandLine)
| eval VSSDelete=if(match(CommandLineLower, "(delete shadows|delete shadow|shadowcopy delete|delete shadows /all)"), 1, 0)
| eval VSSShadowCopy=if(match(CommandLineLower, "(shadowcopy.*delete|delete.*shadowcopy)"), 1, 0)
| eval BackupCatalogDelete=if(match(CommandLineLower, "delete catalog"), 1, 0)
| eval VSSResize=if(match(CommandLineLower, "resize shadowstorage"), 1, 0)
| eval BCDRecoveryDisable=if(match(CommandLineLower, "(recoveryenabled.*no|bootstatuspolicy.*ignoreallfailures|safeboot)"), 1, 0)
| eval WinREDisable=if(match(CommandLineLower, "reagentc.*(disable|-disable|/disable)"), 1, 0)
| eval DiskShadowDelete=if(match(CommandLineLower, "diskshadow.*(delete|shadow)"), 1, 0)
| eval RecoveryInhibitScore=VSSDelete + VSSShadowCopy + BackupCatalogDelete + VSSResize + BCDRecoveryDisable + WinREDisable + DiskShadowDelete
| where RecoveryInhibitScore > 0
| eval TechniqueCategory=case(
    VSSDelete=1 OR VSSShadowCopy=1, "VSS_Delete",
    BackupCatalogDelete=1, "BackupCatalog_Delete",
    VSSResize=1, "VSS_Resize_Attack",
    BCDRecoveryDisable=1, "BCD_Recovery_Disable",
    WinREDisable=1, "WinRE_Disable",
    DiskShadowDelete=1, "DiskShadow_Delete",
    true(), "Other_Recovery_Inhibit"
  )
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, TechniqueCategory, RecoveryInhibitScore
| sort - _time

high severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Backup software agents (Veeam, Acronis, Veritas) that manage VSS snapshots as part of their own backup rotation — typically run under dedicated service accounts from known installation paths
System administrators manually reclaiming disk space by deleting old shadow copies on storage-constrained systems
IT operations scripts that adjust BCD settings during OS migration, sysprep, or imaging workflows
Disaster recovery testing procedures that exercise backup and recovery tools in controlled maintenance windows
Windows Update and major feature updates that temporarily modify BCD settings during staged upgrades

Elastic Security (EQL)

eql

process where event.type == "start" and
  process.name : ("vssadmin.exe", "wmic.exe", "diskshadow.exe", "wbadmin.exe", "bcdedit.exe", "reagentc.exe") and
  (
    (
      process.name : ("vssadmin.exe", "wmic.exe", "diskshadow.exe", "wbadmin.exe") and
      process.command_line : ("*delete shadows*", "*delete shadow *", "*shadowcopy delete*", "*shadowcopy* delete*", "*delete catalog*", "*resize shadowstorage*")
    ) or
    (
      process.name : "bcdedit.exe" and
      process.command_line : ("*recoveryenabled*", "*bootstatuspolicy*", "*safeboot*")
    ) or
    (
      process.name : "reagentc.exe" and
      process.command_line : ("*/disable*", "*-disable*")
    )
  )

critical severity high confidence

Data Sources

Winlogbeat with Sysmon (EventID 1 - Process Create) Elastic Agent endpoint.events.process Windows Security Event Log (EventID 4688 with process command-line auditing enabled)

Required Tables

logs-endpoint.events.process-* winlogbeat-*

False Positives

Enterprise backup solutions such as Veeam, Acronis, or Commvault that invoke vssadmin or wbadmin to manage shadow copy storage quotas during scheduled backup maintenance windows
IT administrators performing documented disaster recovery drills that include resetting BCD entries or toggling WinRE state in controlled lab or staging environments
Windows in-place upgrade processes (Windows Setup) that temporarily modify BCD configuration or disable WinRE as part of major OS version upgrades

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  sourceip AS HostIP,
  username AS UserName,
  "ProcessPath" AS ProcessImage,
  "CommandLine" AS CommandLine,
  "ParentImage" AS ParentProcess,
  LOGSOURCENAME(logsourceid) AS LogSource,
  CATEGORYNAME(category) AS EventCategory
FROM events
WHERE (
  LOGSOURCETYPEID(logsourceid) = 12
  OR LOGSOURCETYPEID(logsourceid) = 392
)
AND (
  LOWER("ProcessPath") LIKE '%vssadmin.exe'
  OR LOWER("ProcessPath") LIKE '%wmic.exe'
  OR LOWER("ProcessPath") LIKE '%diskshadow.exe'
  OR LOWER("ProcessPath") LIKE '%wbadmin.exe'
  OR LOWER("ProcessPath") LIKE '%bcdedit.exe'
  OR LOWER("ProcessPath") LIKE '%reagentc.exe'
)
AND (
  LOWER("CommandLine") LIKE '%delete shadows%'
  OR LOWER("CommandLine") LIKE '%delete shadow %'
  OR LOWER("CommandLine") LIKE '%shadowcopy delete%'
  OR LOWER("CommandLine") LIKE '%delete catalog%'
  OR LOWER("CommandLine") LIKE '%resize shadowstorage%'
  OR LOWER("CommandLine") LIKE '%recoveryenabled%'
  OR LOWER("CommandLine") LIKE '%bootstatuspolicy%'
  OR LOWER("CommandLine") LIKE '%safeboot%'
  OR (
    LOWER("ProcessPath") LIKE '%reagentc.exe'
    AND (
      LOWER("CommandLine") LIKE '%/disable%'
      OR LOWER("CommandLine") LIKE '%-disable%'
    )
  )
)
ORDER BY starttime DESC
LAST 24 HOURS

critical severity high confidence

Data Sources

Windows Security Event Log (EventID 4688 with process command-line auditing enabled via Group Policy) Microsoft Sysmon EventID 1 ingested via the Sysmon DSM

Required Tables

events

False Positives

Enterprise backup agents (NetBackup, Commvault, Windows Server Backup) that run vssadmin or wbadmin under service accounts to manage shadow copy quotas during scheduled backup windows
Infrastructure automation scripts used by storage or cloud teams to resize shadowstorage allocations during planned disk capacity expansion operations
Security operations teams running authorized breach-and-attack simulation (BAS) or red team exercises that include T1490 atomic test execution in isolated environments

Sumo Logic CSE

sql

(_sourceCategory=*windows* OR _sourceCategory=*sysmon* OR _sourceCategory=*WinEventLog*)
| where EventID = "1" or EventCode = "1"
| where Image matches "(?i).*(vssadmin|wmic|diskshadow|wbadmin|bcdedit|reagentc)\.exe$"
| where CommandLine matches "(?i).*(delete\\s+shadows|delete\\s+shadow\\s|shadowcopy\\s+delete|delete\\s+catalog|resize\\s+shadowstorage|recoveryenabled|bootstatuspolicy|safeboot|\/disable|-disable).*"
| eval TechniqueCategory = if(
    CommandLine matches "(?i).*(delete\\s+shadows|shadowcopy\\s+delete)", "VSS_Delete",
    if(CommandLine matches "(?i).*delete\\s+catalog", "BackupCatalog_Delete",
    if(CommandLine matches "(?i).*resize\\s+shadowstorage", "VSS_Resize",
    if(CommandLine matches "(?i).*(recoveryenabled|bootstatuspolicy|safeboot)", "BCD_Recovery_Disable",
    if(CommandLine matches "(?i).*reagentc.*disable", "WinRE_Disable", "Other_Recovery_Inhibit")))))
| fields _messageTime, Computer, User, Image, CommandLine, ParentImage, TechniqueCategory
| sort by _messageTime desc

critical severity high confidence

Data Sources

Sysmon EventID 1 (Process Create) via Windows Event Collector or Sumo Logic collector Windows Security EventID 4688 with process command-line auditing enabled via auditpol

Required Tables

_sourceCategory=*sysmon* _sourceCategory=*windows* _sourceCategory=*WinEventLog*

False Positives

Veeam, Acronis, or similar enterprise backup platforms that periodically invoke vssadmin resize shadowstorage to manage snapshot allocation sizes on high-throughput servers
IT operations runbooks that disable WinRE on servers where OS recovery is handled entirely via PXE boot or external bare-metal restore tooling rather than the local recovery partition
Disk optimization or storage management utilities executed by infrastructure teams that interact with VSS as part of deduplication or thin-provisioning workflows

Google Chronicle / SecOps

yaral

rule t1490_inhibit_system_recovery {
  meta:
    author = "Detection Engineering"
    description = "Detects T1490 Inhibit System Recovery: VSS shadow copy deletion, BCD recovery disable, WinRE disable via reagentc"
    reference = "https://attack.mitre.org/techniques/T1490/"
    severity = "CRITICAL"
    priority = "HIGH"
    mitre_attack_tactic = "Impact"
    mitre_attack_technique = "T1490"
    false_positives = "Enterprise backup software, DR testing, storage management scripts"
    version = "1.0"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      re.regex($e.target.process.file.full_path, `(?i)(vssadmin|wmic|diskshadow|wbadmin|bcdedit|reagentc)\.exe$`) or
      re.regex($e.target.process.file.short_name, `(?i)^(vssadmin|wmic|diskshadow|wbadmin|bcdedit|reagentc)\.exe$`)
    )
    (
      re.regex($e.target.process.command_line, `(?i)(delete[\s]+shadows|delete[\s]+shadow[\s]|shadowcopy[\s]+delete|delete[\s]+catalog|resize[\s]+shadowstorage)`) or
      re.regex($e.target.process.command_line, `(?i)(recoveryenabled[\s]+no|bootstatuspolicy[\s]+ignoreallfailures|safeboot)`) or
      (
        re.regex($e.target.process.file.full_path, `(?i)reagentc\.exe$`) and
        re.regex($e.target.process.command_line, `(?i)(\/disable|\-disable)`)
      )
    )

  condition:
    $e
}

critical severity high confidence

Data Sources

Google Chronicle UDM PROCESS_LAUNCH events from Windows endpoints via Chronicle forwarder, Sysmon, or EDR telemetry (CrowdStrike, SentinelOne, Carbon Black)

Required Tables

UDM events with metadata.event_type = PROCESS_LAUNCH

False Positives

Enterprise backup platforms (Veeam, Commvault, Zerto) that automate VSS management via vssadmin or wbadmin service accounts as part of nightly or incremental backup schedules
Cloud or hypervisor migration tools (Azure Migrate, VMware Converter) that disable WinRE and modify BCD settings when converting physical machines to virtual machine images
Authorized red team or breach-and-attack simulation exercises performing MITRE ATT&CK T1490 atomic tests in pre-approved isolated test environments

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| FileName = /(?i)(vssadmin|wmic|diskshadow|wbadmin|bcdedit|reagentc)\.exe/
| CommandLine = /(?i)(delete\s+shadows|delete\s+shadow\s|shadowcopy\s+delete|delete\s+catalog|resize\s+shadowstorage|recoveryenabled|bootstatuspolicy|safeboot|\/disable|-disable)/
| TechniqueCategory := case {
    CommandLine = /(?i)(delete\s+shadows|shadowcopy\s+delete)/ => "VSS_Delete" ;
    CommandLine = /(?i)delete\s+catalog/ => "BackupCatalog_Delete" ;
    CommandLine = /(?i)resize\s+shadowstorage/ => "VSS_Resize" ;
    CommandLine = /(?i)(recoveryenabled|bootstatuspolicy|safeboot)/ => "BCD_Recovery_Disable" ;
    FileName = /(?i)reagentc\.exe/ AND CommandLine = /(?i)(disable)/ => "WinRE_Disable" ;
    * => "Other_Recovery_Inhibit"
  }
| table([timestamp, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, TechniqueCategory])
| sort(timestamp, order=desc)

critical severity high confidence

Data Sources

CrowdStrike Falcon EDR - ProcessRollup2 events from Windows endpoints with Falcon sensor deployed and full command-line capture enabled

Required Tables

#event_simpleName=ProcessRollup2

False Positives

Veeam, Acronis, or other enterprise backup agents running under designated service accounts that invoke vssadmin or wbadmin to manage snapshot storage as part of automated backup schedules
Windows operating system in-place upgrade processes (Windows Setup) that temporarily disable WinRE or modify BCD configuration entries during major OS version upgrades
Storage capacity management automation scripts executed by infrastructure teams to resize shadow copy storage allocations on high-throughput file servers or database hosts

Inhibit System Recovery

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Impact

Popular Detections