Which SIEM platforms have a T1490 detection rule?

df00tech provides T1490 (Inhibit System Recovery) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Inhibit System Recovery (T1490)?

Detecting Inhibit System Recovery requires the following data sources: Process: Process Creation, Command: Command Execution, Microsoft Defender for Endpoint.

What severity and confidence is the T1490 detection?

The T1490 detection is rated high severity with high confidence.

What are common false positives for T1490?

Common false positives for T1490 include: Backup software agents (Veeam, Acronis, Veritas) that manage VSS snapshots as part of their own backup rotation — typically run under dedicated service accounts from known installation paths; System administrators manually reclaiming disk space by deleting old shadow copies on storage-constrained systems; IT operations scripts that adjust BCD settings during OS migration, sysprep, or imaging workflows.

T1490 IBM QRadar · QRadar

Detect Inhibit System Recovery in IBM QRadar

Adversaries may delete or remove built-in data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery. This includes deleting Volume Shadow Copies (VSS), disabling Windows Recovery Environment (WinRE), clearing backup catalogs, and modifying Boot Configuration Data (BCD). This technique is almost universally observed as a pre-encryption step in ransomware attacks, executed within seconds to minutes before the encryption payload is launched. Real-world ransomware families including Ryuk, Black Basta, Medusa, RobbinHood, WastedLocker, EKANS, and Ragnar Locker all employ this technique to maximize the irreversibility of damage.

MITRE ATT&CK

Tactic: Impact
Technique: T1490 Inhibit System Recovery
Canonical reference: https://attack.mitre.org/techniques/T1490/

QRadar Detection Query

IBM QRadar (QRadar)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  sourceip AS HostIP,
  username AS UserName,
  "ProcessPath" AS ProcessImage,
  "CommandLine" AS CommandLine,
  "ParentImage" AS ParentProcess,
  LOGSOURCENAME(logsourceid) AS LogSource,
  CATEGORYNAME(category) AS EventCategory
FROM events
WHERE (
  LOGSOURCETYPEID(logsourceid) = 12
  OR LOGSOURCETYPEID(logsourceid) = 392
)
AND (
  LOWER("ProcessPath") LIKE '%vssadmin.exe'
  OR LOWER("ProcessPath") LIKE '%wmic.exe'
  OR LOWER("ProcessPath") LIKE '%diskshadow.exe'
  OR LOWER("ProcessPath") LIKE '%wbadmin.exe'
  OR LOWER("ProcessPath") LIKE '%bcdedit.exe'
  OR LOWER("ProcessPath") LIKE '%reagentc.exe'
)
AND (
  LOWER("CommandLine") LIKE '%delete shadows%'
  OR LOWER("CommandLine") LIKE '%delete shadow %'
  OR LOWER("CommandLine") LIKE '%shadowcopy delete%'
  OR LOWER("CommandLine") LIKE '%delete catalog%'
  OR LOWER("CommandLine") LIKE '%resize shadowstorage%'
  OR LOWER("CommandLine") LIKE '%recoveryenabled%'
  OR LOWER("CommandLine") LIKE '%bootstatuspolicy%'
  OR LOWER("CommandLine") LIKE '%safeboot%'
  OR (
    LOWER("ProcessPath") LIKE '%reagentc.exe'
    AND (
      LOWER("CommandLine") LIKE '%/disable%'
      OR LOWER("CommandLine") LIKE '%-disable%'
    )
  )
)
ORDER BY starttime DESC
LAST 24 HOURS

critical severity high confidence

QRadar AQL query detecting T1490 Inhibit System Recovery by querying process execution events from Windows Security (LOGSOURCETYPEID 12) and Sysmon (LOGSOURCETYPEID 392) log sources. Matches the known set of recovery inhibition binaries executing with command-line arguments indicative of VSS deletion, backup catalog removal, shadow storage resizing, BCD modification, or WinRE disabling.

Data Sources

Windows Security Event Log (EventID 4688 with process command-line auditing enabled via Group Policy)Microsoft Sysmon EventID 1 ingested via the Sysmon DSM

Required Tables

events

False Positives & Tuning

Enterprise backup agents (NetBackup, Commvault, Windows Server Backup) that run vssadmin or wbadmin under service accounts to manage shadow copy quotas during scheduled backup windows
Infrastructure automation scripts used by storage or cloud teams to resize shadowstorage allocations during planned disk capacity expansion operations
Security operations teams running authorized breach-and-attack simulation (BAS) or red team exercises that include T1490 atomic test execution in isolated environments

Download portable Sigma rule (.yml)

Other platforms for T1490

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1VSS Shadow Copy Deletion via vssadmin
Expected signal: Sysmon Event ID 1: Process Create with Image=vssadmin.exe, CommandLine='vssadmin.exe delete shadows /all /quiet'. Security Event ID 4688 (if command line auditing enabled) with same details. Microsoft-Windows-Volume-Shadow-Copy/Operational Event ID 8194 on deletion attempt.
Test 2VSS Shadow Copy Deletion via WMI
Expected signal: Sysmon Event ID 1: Process Create with Image=wmic.exe, CommandLine='wmic shadowcopy delete'. Security Event ID 4688 with same details. WMI activity logs in Microsoft-Windows-WMI-Activity/Operational.
Test 3Boot Recovery Disable via bcdedit
Expected signal: Two Sysmon Event ID 1 events: first with CommandLine='bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures', second with CommandLine='bcdedit.exe /set {default} recoveryenabled no'. Security Event ID 4688 for each. Both events fire within milliseconds of each other from the same parent.
Test 4Windows Backup Catalog Deletion via wbadmin
Expected signal: Sysmon Event ID 1: Process Create with Image=wbadmin.exe, CommandLine='wbadmin.exe delete catalog -quiet'. Security Event ID 4688 with same details. Microsoft-Windows-Backup event log will record the catalog deletion operation.
Test 5Ryuk-style VSS Storage Resize to Force Deletion
Expected signal: Sysmon Event ID 1: Process Create with Image=vssadmin.exe, CommandLine containing 'resize shadowstorage' and '/maxsize=401MB'. Microsoft-Windows-Volume-Shadow-Copy/Operational events as Windows responds to the reduced quota by discarding existing shadow copies.

Last updated: 2026-04-13 Research depth: deep

References (10)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1490 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Detect Inhibit System Recovery in IBM QRadar

MITRE ATT&CK

QRadar Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1490

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Related Techniques

Same Tactic: Impact

Popular Detections

MITRE ATT&CK

QRadar Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1490

Testing Methodology

Unlock Pro Content

Related Detections

Related Techniques

Same Tactic: Impact

Popular Detections

Get new detections in your inbox