T1490 Microsoft Sentinel · KQL

Detect Inhibit System Recovery in Microsoft Sentinel

Adversaries may delete or remove built-in data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery. This includes deleting Volume Shadow Copies (VSS), disabling Windows Recovery Environment (WinRE), clearing backup catalogs, and modifying Boot Configuration Data (BCD). This technique is almost universally observed as a pre-encryption step in ransomware attacks, executed within seconds to minutes before the encryption payload is launched. Real-world ransomware families including Ryuk, Black Basta, Medusa, RobbinHood, WastedLocker, EKANS, and Ragnar Locker all employ this technique to maximize the irreversibility of damage.

MITRE ATT&CK

Tactic
Impact
Technique
T1490 Inhibit System Recovery
Canonical reference
https://attack.mitre.org/techniques/T1490/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
let RecoveryInhibitPatterns = dynamic([
  "delete shadows", "delete catalog", "shadowcopy delete", "delete shadow",
  "recoveryenabled no", "bootstatuspolicy ignoreallfailures",
  "resize shadowstorage", "diskshadow",
  "reagentc"
]);
let ShadowDeleteBinaries = dynamic(["vssadmin.exe", "wmic.exe", "diskshadow.exe", "wbadmin.exe"]);
let BcdEditBinary = dynamic(["bcdedit.exe"]);
let ReagentBinary = dynamic(["reagentc.exe"]);
// VSS and backup catalog deletion
let ShadowDeletes = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ (ShadowDeleteBinaries)
| where ProcessCommandLine has_any (RecoveryInhibitPatterns)
| extend TechniqueCategory = case(
    ProcessCommandLine has_any ("delete shadows", "delete shadow", "shadowcopy delete"), "VSS_Delete",
    ProcessCommandLine has "delete catalog", "BackupCatalog_Delete",
    ProcessCommandLine has "resize shadowstorage", "VSS_Resize",
    "Other"
  )
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine, TechniqueCategory;
// BCD boot recovery disable
let BcdDisable = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ (BcdEditBinary)
| where ProcessCommandLine has_any ("recoveryenabled", "bootstatuspolicy", "safeboot")
| extend TechniqueCategory = "BCD_Recovery_Disable"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine, TechniqueCategory;
// WinRE disable via REAgentC
let WinREDisable = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "reagentc.exe"
| where ProcessCommandLine has_any ("/disable", "-disable")
| extend TechniqueCategory = "WinRE_Disable"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine, TechniqueCategory;
ShadowDeletes
| union BcdDisable
| union WinREDisable
| sort by Timestamp desc
high severity high confidence

Detects attempts to inhibit system recovery using native Windows utilities. Monitors for Volume Shadow Copy deletion via vssadmin.exe, wmic.exe, and diskshadow.exe; backup catalog deletion via wbadmin.exe; Boot Configuration Data (BCD) modification to disable recovery mode via bcdedit.exe; and Windows Recovery Environment disabling via reagentc.exe. Uses a union of three sub-queries to categorize each technique variant. Covers all primary ransomware pre-encryption patterns observed in Ryuk, Black Basta, Medusa, RobbinHood, EKANS, and WastedLocker campaigns.

Data Sources

Process: Process CreationCommand: Command ExecutionMicrosoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives & Tuning

  • Backup software agents (Veeam, Acronis, Veritas) that manage VSS snapshots as part of their own backup rotation — typically run under dedicated service accounts from known installation paths
  • System administrators manually reclaiming disk space by deleting old shadow copies on storage-constrained systems
  • IT operations scripts that adjust BCD settings during OS migration, sysprep, or imaging workflows
  • Disaster recovery testing procedures that exercise backup and recovery tools in controlled maintenance windows
  • Windows Update and major feature updates that temporarily modify BCD settings during staged upgrades
Download portable Sigma rule (.yml)

Other platforms for T1490

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1VSS Shadow Copy Deletion via vssadmin

    Expected signal: Sysmon Event ID 1: Process Create with Image=vssadmin.exe, CommandLine='vssadmin.exe delete shadows /all /quiet'. Security Event ID 4688 (if command line auditing enabled) with same details. Microsoft-Windows-Volume-Shadow-Copy/Operational Event ID 8194 on deletion attempt.

  2. Test 2VSS Shadow Copy Deletion via WMI

    Expected signal: Sysmon Event ID 1: Process Create with Image=wmic.exe, CommandLine='wmic shadowcopy delete'. Security Event ID 4688 with same details. WMI activity logs in Microsoft-Windows-WMI-Activity/Operational.

  3. Test 3Boot Recovery Disable via bcdedit

    Expected signal: Two Sysmon Event ID 1 events: first with CommandLine='bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures', second with CommandLine='bcdedit.exe /set {default} recoveryenabled no'. Security Event ID 4688 for each. Both events fire within milliseconds of each other from the same parent.

  4. Test 4Windows Backup Catalog Deletion via wbadmin

    Expected signal: Sysmon Event ID 1: Process Create with Image=wbadmin.exe, CommandLine='wbadmin.exe delete catalog -quiet'. Security Event ID 4688 with same details. Microsoft-Windows-Backup event log will record the catalog deletion operation.

  5. Test 5Ryuk-style VSS Storage Resize to Force Deletion

    Expected signal: Sysmon Event ID 1: Process Create with Image=vssadmin.exe, CommandLine containing 'resize shadowstorage' and '/maxsize=401MB'. Microsoft-Windows-Volume-Shadow-Copy/Operational events as Windows responds to the reduced quota by discarding existing shadow copies.

Last updated: 2026-04-13 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1490 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1486Data Encrypted for ImpactT1485Data DestructionT1489Service StopT1562.001Disable or Modify ToolsT1047Windows Management InstrumentationT1059.001PowerShellT1059.003Windows Command ShellT1561.002Disk Structure WipeT1078Valid AccountsT1021.001Remote Desktop Protocol

Same Tactic: Impact

Popular Detections