Detect Inhibit System Recovery in Splunk
Adversaries may delete or remove built-in data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery. This includes deleting Volume Shadow Copies (VSS), disabling Windows Recovery Environment (WinRE), clearing backup catalogs, and modifying Boot Configuration Data (BCD). This technique is almost universally observed as a pre-encryption step in ransomware attacks, executed within seconds to minutes before the encryption payload is launched. Real-world ransomware families including Ryuk, Black Basta, Medusa, RobbinHood, WastedLocker, EKANS, and Ragnar Locker all employ this technique to maximize the irreversibility of damage.
MITRE ATT&CK
- Tactic
- Impact
- Technique
- T1490 Inhibit System Recovery
- Canonical reference
- https://attack.mitre.org/techniques/T1490/
SPL Detection Query
index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1)
(Image="*\\vssadmin.exe" OR Image="*\\wmic.exe" OR Image="*\\diskshadow.exe" OR
Image="*\\wbadmin.exe" OR Image="*\\bcdedit.exe" OR Image="*\\reagentc.exe")
| eval CommandLineLower=lower(CommandLine)
| eval VSSDelete=if(match(CommandLineLower, "(delete shadows|delete shadow|shadowcopy delete|delete shadows /all)"), 1, 0)
| eval VSSShadowCopy=if(match(CommandLineLower, "(shadowcopy.*delete|delete.*shadowcopy)"), 1, 0)
| eval BackupCatalogDelete=if(match(CommandLineLower, "delete catalog"), 1, 0)
| eval VSSResize=if(match(CommandLineLower, "resize shadowstorage"), 1, 0)
| eval BCDRecoveryDisable=if(match(CommandLineLower, "(recoveryenabled.*no|bootstatuspolicy.*ignoreallfailures|safeboot)"), 1, 0)
| eval WinREDisable=if(match(CommandLineLower, "reagentc.*(disable|-disable|/disable)"), 1, 0)
| eval DiskShadowDelete=if(match(CommandLineLower, "diskshadow.*(delete|shadow)"), 1, 0)
| eval RecoveryInhibitScore=VSSDelete + VSSShadowCopy + BackupCatalogDelete + VSSResize + BCDRecoveryDisable + WinREDisable + DiskShadowDelete
| where RecoveryInhibitScore > 0
| eval TechniqueCategory=case(
VSSDelete=1 OR VSSShadowCopy=1, "VSS_Delete",
BackupCatalogDelete=1, "BackupCatalog_Delete",
VSSResize=1, "VSS_Resize_Attack",
BCDRecoveryDisable=1, "BCD_Recovery_Disable",
WinREDisable=1, "WinRE_Disable",
DiskShadowDelete=1, "DiskShadow_Delete",
true(), "Other_Recovery_Inhibit"
)
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, TechniqueCategory, RecoveryInhibitScore
| sort - _timeDetects system recovery inhibition using Sysmon Event ID 1 (Process Creation) logs. Evaluates command lines against all known recovery-inhibiting patterns including VSS deletion (vssadmin, wmic, diskshadow), backup catalog deletion (wbadmin), BCD modification to disable recovery (bcdedit), and WinRE disabling (reagentc). Assigns a RecoveryInhibitScore and categorizes the specific technique variant. High score or multiple indicators fired simultaneously is a strong ransomware pre-encryption signal.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Backup software agents (Veeam, Acronis, Veritas) that manage VSS snapshots as part of their own backup rotation — typically run under dedicated service accounts from known installation paths
- System administrators manually reclaiming disk space by deleting old shadow copies on storage-constrained systems
- IT operations scripts that adjust BCD settings during OS migration, sysprep, or imaging workflows
- Disaster recovery testing procedures that exercise backup and recovery tools in controlled maintenance windows
- Windows Update and major feature updates that temporarily modify BCD settings during staged upgrades
Other platforms for T1490
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1VSS Shadow Copy Deletion via vssadmin
Expected signal: Sysmon Event ID 1: Process Create with Image=vssadmin.exe, CommandLine='vssadmin.exe delete shadows /all /quiet'. Security Event ID 4688 (if command line auditing enabled) with same details. Microsoft-Windows-Volume-Shadow-Copy/Operational Event ID 8194 on deletion attempt.
- Test 2VSS Shadow Copy Deletion via WMI
Expected signal: Sysmon Event ID 1: Process Create with Image=wmic.exe, CommandLine='wmic shadowcopy delete'. Security Event ID 4688 with same details. WMI activity logs in Microsoft-Windows-WMI-Activity/Operational.
- Test 3Boot Recovery Disable via bcdedit
Expected signal: Two Sysmon Event ID 1 events: first with CommandLine='bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures', second with CommandLine='bcdedit.exe /set {default} recoveryenabled no'. Security Event ID 4688 for each. Both events fire within milliseconds of each other from the same parent.
- Test 4Windows Backup Catalog Deletion via wbadmin
Expected signal: Sysmon Event ID 1: Process Create with Image=wbadmin.exe, CommandLine='wbadmin.exe delete catalog -quiet'. Security Event ID 4688 with same details. Microsoft-Windows-Backup event log will record the catalog deletion operation.
- Test 5Ryuk-style VSS Storage Resize to Force Deletion
Expected signal: Sysmon Event ID 1: Process Create with Image=vssadmin.exe, CommandLine containing 'resize shadowstorage' and '/maxsize=401MB'. Microsoft-Windows-Volume-Shadow-Copy/Operational events as Windows responds to the reduced quota by discarding existing shadow copies.
References (10)
- https://attack.mitre.org/techniques/T1490/
- https://blog.talosintelligence.com/2018/02/olympic-destroyer.html
- https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html
- https://www.cybereason.com/blog/cybereason-vs.-blackcat-ransomware
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow
- https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware
- https://rhinosecuritylabs.com/aws/s3-ransomware-part-2-prevention-and-defense/
- https://www.zdnet.com/article/ransomware-victims-thought-their-backups-were-safe-they-were-wrong/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation
Unlock Pro Content
Get the full detection package for T1490 including response playbook, investigation guide, and atomic red team tests.