T1490 CrowdStrike LogScale · LogScale

Detect Inhibit System Recovery in CrowdStrike LogScale

Adversaries may delete or remove built-in data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery. This includes deleting Volume Shadow Copies (VSS), disabling Windows Recovery Environment (WinRE), clearing backup catalogs, and modifying Boot Configuration Data (BCD). This technique is almost universally observed as a pre-encryption step in ransomware attacks, executed within seconds to minutes before the encryption payload is launched. Real-world ransomware families including Ryuk, Black Basta, Medusa, RobbinHood, WastedLocker, EKANS, and Ragnar Locker all employ this technique to maximize the irreversibility of damage.

MITRE ATT&CK

Tactic
Impact
Technique
T1490 Inhibit System Recovery
Canonical reference
https://attack.mitre.org/techniques/T1490/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
#event_simpleName=ProcessRollup2
| FileName = /(?i)(vssadmin|wmic|diskshadow|wbadmin|bcdedit|reagentc)\.exe/
| CommandLine = /(?i)(delete\s+shadows|delete\s+shadow\s|shadowcopy\s+delete|delete\s+catalog|resize\s+shadowstorage|recoveryenabled|bootstatuspolicy|safeboot|\/disable|-disable)/
| TechniqueCategory := case {
    CommandLine = /(?i)(delete\s+shadows|shadowcopy\s+delete)/ => "VSS_Delete" ;
    CommandLine = /(?i)delete\s+catalog/ => "BackupCatalog_Delete" ;
    CommandLine = /(?i)resize\s+shadowstorage/ => "VSS_Resize" ;
    CommandLine = /(?i)(recoveryenabled|bootstatuspolicy|safeboot)/ => "BCD_Recovery_Disable" ;
    FileName = /(?i)reagentc\.exe/ AND CommandLine = /(?i)(disable)/ => "WinRE_Disable" ;
    * => "Other_Recovery_Inhibit"
  }
| table([timestamp, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, TechniqueCategory])
| sort(timestamp, order=desc)
critical severity high confidence

CrowdStrike LogScale (Falcon) query detecting T1490 Inhibit System Recovery using ProcessRollup2 sensor events from endpoints with the Falcon sensor deployed. Matches the known recovery inhibition binary set executing with command-line arguments for VSS deletion, backup catalog removal, shadow storage resizing, BCD modification, and WinRE disabling. Results are tagged with a TechniqueCategory field for triage prioritization.

Data Sources

CrowdStrike Falcon EDR - ProcessRollup2 events from Windows endpoints with Falcon sensor deployed and full command-line capture enabled

Required Tables

#event_simpleName=ProcessRollup2

False Positives & Tuning

  • Veeam, Acronis, or other enterprise backup agents running under designated service accounts that invoke vssadmin or wbadmin to manage snapshot storage as part of automated backup schedules
  • Windows operating system in-place upgrade processes (Windows Setup) that temporarily disable WinRE or modify BCD configuration entries during major OS version upgrades
  • Storage capacity management automation scripts executed by infrastructure teams to resize shadow copy storage allocations on high-throughput file servers or database hosts
Download portable Sigma rule (.yml)

Other platforms for T1490

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1VSS Shadow Copy Deletion via vssadmin

    Expected signal: Sysmon Event ID 1: Process Create with Image=vssadmin.exe, CommandLine='vssadmin.exe delete shadows /all /quiet'. Security Event ID 4688 (if command line auditing enabled) with same details. Microsoft-Windows-Volume-Shadow-Copy/Operational Event ID 8194 on deletion attempt.

  2. Test 2VSS Shadow Copy Deletion via WMI

    Expected signal: Sysmon Event ID 1: Process Create with Image=wmic.exe, CommandLine='wmic shadowcopy delete'. Security Event ID 4688 with same details. WMI activity logs in Microsoft-Windows-WMI-Activity/Operational.

  3. Test 3Boot Recovery Disable via bcdedit

    Expected signal: Two Sysmon Event ID 1 events: first with CommandLine='bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures', second with CommandLine='bcdedit.exe /set {default} recoveryenabled no'. Security Event ID 4688 for each. Both events fire within milliseconds of each other from the same parent.

  4. Test 4Windows Backup Catalog Deletion via wbadmin

    Expected signal: Sysmon Event ID 1: Process Create with Image=wbadmin.exe, CommandLine='wbadmin.exe delete catalog -quiet'. Security Event ID 4688 with same details. Microsoft-Windows-Backup event log will record the catalog deletion operation.

  5. Test 5Ryuk-style VSS Storage Resize to Force Deletion

    Expected signal: Sysmon Event ID 1: Process Create with Image=vssadmin.exe, CommandLine containing 'resize shadowstorage' and '/maxsize=401MB'. Microsoft-Windows-Volume-Shadow-Copy/Operational events as Windows responds to the reduced quota by discarding existing shadow copies.

Last updated: 2026-04-13 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1490 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1486Data Encrypted for ImpactT1485Data DestructionT1489Service StopT1562.001Disable or Modify ToolsT1047Windows Management InstrumentationT1059.001PowerShellT1059.003Windows Command ShellT1561.002Disk Structure WipeT1078Valid AccountsT1021.001Remote Desktop Protocol

Same Tactic: Impact

Popular Detections