T1490 Elastic Security · Elastic

Detect Inhibit System Recovery in Elastic Security

Adversaries may delete or remove built-in data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery. This includes deleting Volume Shadow Copies (VSS), disabling Windows Recovery Environment (WinRE), clearing backup catalogs, and modifying Boot Configuration Data (BCD). This technique is almost universally observed as a pre-encryption step in ransomware attacks, executed within seconds to minutes before the encryption payload is launched. Real-world ransomware families including Ryuk, Black Basta, Medusa, RobbinHood, WastedLocker, EKANS, and Ragnar Locker all employ this technique to maximize the irreversibility of damage.

MITRE ATT&CK

Tactic
Impact
Technique
T1490 Inhibit System Recovery
Canonical reference
https://attack.mitre.org/techniques/T1490/

Elastic Detection Query

Elastic Security (Elastic)
eql 
process where event.type == "start" and
  process.name : ("vssadmin.exe", "wmic.exe", "diskshadow.exe", "wbadmin.exe", "bcdedit.exe", "reagentc.exe") and
  (
    (
      process.name : ("vssadmin.exe", "wmic.exe", "diskshadow.exe", "wbadmin.exe") and
      process.command_line : ("*delete shadows*", "*delete shadow *", "*shadowcopy delete*", "*shadowcopy* delete*", "*delete catalog*", "*resize shadowstorage*")
    ) or
    (
      process.name : "bcdedit.exe" and
      process.command_line : ("*recoveryenabled*", "*bootstatuspolicy*", "*safeboot*")
    ) or
    (
      process.name : "reagentc.exe" and
      process.command_line : ("*/disable*", "*-disable*")
    )
  )
critical severity high confidence

Detects T1490 Inhibit System Recovery via process execution of shadow copy deletion utilities (vssadmin, wmic, diskshadow, wbadmin), BCD boot recovery modification (bcdedit), and WinRE disabling (reagentc) using Elastic EQL against Winlogbeat or Elastic Agent process telemetry. Covers VSS deletion, backup catalog removal, shadow storage resizing, boot recovery disabling, and WinRE disabling.

Data Sources

Winlogbeat with Sysmon (EventID 1 - Process Create)Elastic Agent endpoint.events.processWindows Security Event Log (EventID 4688 with process command-line auditing enabled)

Required Tables

logs-endpoint.events.process-*winlogbeat-*

False Positives & Tuning

  • Enterprise backup solutions such as Veeam, Acronis, or Commvault that invoke vssadmin or wbadmin to manage shadow copy storage quotas during scheduled backup maintenance windows
  • IT administrators performing documented disaster recovery drills that include resetting BCD entries or toggling WinRE state in controlled lab or staging environments
  • Windows in-place upgrade processes (Windows Setup) that temporarily modify BCD configuration or disable WinRE as part of major OS version upgrades
Download portable Sigma rule (.yml)

Other platforms for T1490

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1VSS Shadow Copy Deletion via vssadmin

    Expected signal: Sysmon Event ID 1: Process Create with Image=vssadmin.exe, CommandLine='vssadmin.exe delete shadows /all /quiet'. Security Event ID 4688 (if command line auditing enabled) with same details. Microsoft-Windows-Volume-Shadow-Copy/Operational Event ID 8194 on deletion attempt.

  2. Test 2VSS Shadow Copy Deletion via WMI

    Expected signal: Sysmon Event ID 1: Process Create with Image=wmic.exe, CommandLine='wmic shadowcopy delete'. Security Event ID 4688 with same details. WMI activity logs in Microsoft-Windows-WMI-Activity/Operational.

  3. Test 3Boot Recovery Disable via bcdedit

    Expected signal: Two Sysmon Event ID 1 events: first with CommandLine='bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures', second with CommandLine='bcdedit.exe /set {default} recoveryenabled no'. Security Event ID 4688 for each. Both events fire within milliseconds of each other from the same parent.

  4. Test 4Windows Backup Catalog Deletion via wbadmin

    Expected signal: Sysmon Event ID 1: Process Create with Image=wbadmin.exe, CommandLine='wbadmin.exe delete catalog -quiet'. Security Event ID 4688 with same details. Microsoft-Windows-Backup event log will record the catalog deletion operation.

  5. Test 5Ryuk-style VSS Storage Resize to Force Deletion

    Expected signal: Sysmon Event ID 1: Process Create with Image=vssadmin.exe, CommandLine containing 'resize shadowstorage' and '/maxsize=401MB'. Microsoft-Windows-Volume-Shadow-Copy/Operational events as Windows responds to the reduced quota by discarding existing shadow copies.

Last updated: 2026-04-13 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1490 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1486Data Encrypted for ImpactT1485Data DestructionT1489Service StopT1562.001Disable or Modify ToolsT1047Windows Management InstrumentationT1059.001PowerShellT1059.003Windows Command ShellT1561.002Disk Structure WipeT1078Valid AccountsT1021.001Remote Desktop Protocol

Same Tactic: Impact

Popular Detections