Detect Inhibit System Recovery in Google Chronicle
Adversaries may delete or remove built-in data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery. This includes deleting Volume Shadow Copies (VSS), disabling Windows Recovery Environment (WinRE), clearing backup catalogs, and modifying Boot Configuration Data (BCD). This technique is almost universally observed as a pre-encryption step in ransomware attacks, executed within seconds to minutes before the encryption payload is launched. Real-world ransomware families including Ryuk, Black Basta, Medusa, RobbinHood, WastedLocker, EKANS, and Ragnar Locker all employ this technique to maximize the irreversibility of damage.
MITRE ATT&CK
- Tactic
- Impact
- Technique
- T1490 Inhibit System Recovery
- Canonical reference
- https://attack.mitre.org/techniques/T1490/
YARA-L Detection Query
rule t1490_inhibit_system_recovery {
meta:
author = "Detection Engineering"
description = "Detects T1490 Inhibit System Recovery: VSS shadow copy deletion, BCD recovery disable, WinRE disable via reagentc"
reference = "https://attack.mitre.org/techniques/T1490/"
severity = "CRITICAL"
priority = "HIGH"
mitre_attack_tactic = "Impact"
mitre_attack_technique = "T1490"
false_positives = "Enterprise backup software, DR testing, storage management scripts"
version = "1.0"
events:
$e.metadata.event_type = "PROCESS_LAUNCH"
(
re.regex($e.target.process.file.full_path, `(?i)(vssadmin|wmic|diskshadow|wbadmin|bcdedit|reagentc)\.exe$`) or
re.regex($e.target.process.file.short_name, `(?i)^(vssadmin|wmic|diskshadow|wbadmin|bcdedit|reagentc)\.exe$`)
)
(
re.regex($e.target.process.command_line, `(?i)(delete[\s]+shadows|delete[\s]+shadow[\s]|shadowcopy[\s]+delete|delete[\s]+catalog|resize[\s]+shadowstorage)`) or
re.regex($e.target.process.command_line, `(?i)(recoveryenabled[\s]+no|bootstatuspolicy[\s]+ignoreallfailures|safeboot)`) or
(
re.regex($e.target.process.file.full_path, `(?i)reagentc\.exe$`) and
re.regex($e.target.process.command_line, `(?i)(\/disable|\-disable)`)
)
)
condition:
$e
}Chronicle YARA-L 2.0 rule detecting T1490 Inhibit System Recovery using UDM PROCESS_LAUNCH events. Matches process launches where the target binary is a known recovery inhibition utility and the command line contains arguments for VSS deletion, backup catalog removal, shadow storage resizing, BCD modification, or WinRE disabling. Dual-field matching on full_path and short_name increases resilience against path variation.
Data Sources
Required Tables
False Positives & Tuning
- Enterprise backup platforms (Veeam, Commvault, Zerto) that automate VSS management via vssadmin or wbadmin service accounts as part of nightly or incremental backup schedules
- Cloud or hypervisor migration tools (Azure Migrate, VMware Converter) that disable WinRE and modify BCD settings when converting physical machines to virtual machine images
- Authorized red team or breach-and-attack simulation exercises performing MITRE ATT&CK T1490 atomic tests in pre-approved isolated test environments
Other platforms for T1490
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1VSS Shadow Copy Deletion via vssadmin
Expected signal: Sysmon Event ID 1: Process Create with Image=vssadmin.exe, CommandLine='vssadmin.exe delete shadows /all /quiet'. Security Event ID 4688 (if command line auditing enabled) with same details. Microsoft-Windows-Volume-Shadow-Copy/Operational Event ID 8194 on deletion attempt.
- Test 2VSS Shadow Copy Deletion via WMI
Expected signal: Sysmon Event ID 1: Process Create with Image=wmic.exe, CommandLine='wmic shadowcopy delete'. Security Event ID 4688 with same details. WMI activity logs in Microsoft-Windows-WMI-Activity/Operational.
- Test 3Boot Recovery Disable via bcdedit
Expected signal: Two Sysmon Event ID 1 events: first with CommandLine='bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures', second with CommandLine='bcdedit.exe /set {default} recoveryenabled no'. Security Event ID 4688 for each. Both events fire within milliseconds of each other from the same parent.
- Test 4Windows Backup Catalog Deletion via wbadmin
Expected signal: Sysmon Event ID 1: Process Create with Image=wbadmin.exe, CommandLine='wbadmin.exe delete catalog -quiet'. Security Event ID 4688 with same details. Microsoft-Windows-Backup event log will record the catalog deletion operation.
- Test 5Ryuk-style VSS Storage Resize to Force Deletion
Expected signal: Sysmon Event ID 1: Process Create with Image=vssadmin.exe, CommandLine containing 'resize shadowstorage' and '/maxsize=401MB'. Microsoft-Windows-Volume-Shadow-Copy/Operational events as Windows responds to the reduced quota by discarding existing shadow copies.
References (10)
- https://attack.mitre.org/techniques/T1490/
- https://blog.talosintelligence.com/2018/02/olympic-destroyer.html
- https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html
- https://www.cybereason.com/blog/cybereason-vs.-blackcat-ransomware
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow
- https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware
- https://rhinosecuritylabs.com/aws/s3-ransomware-part-2-prevention-and-defense/
- https://www.zdnet.com/article/ransomware-victims-thought-their-backups-were-safe-they-were-wrong/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation
Unlock Pro Content
Get the full detection package for T1490 including response playbook, investigation guide, and atomic red team tests.