Detect Inhibit System Recovery in Sumo Logic CSE
Adversaries may delete or remove built-in data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery. This includes deleting Volume Shadow Copies (VSS), disabling Windows Recovery Environment (WinRE), clearing backup catalogs, and modifying Boot Configuration Data (BCD). This technique is almost universally observed as a pre-encryption step in ransomware attacks, executed within seconds to minutes before the encryption payload is launched. Real-world ransomware families including Ryuk, Black Basta, Medusa, RobbinHood, WastedLocker, EKANS, and Ragnar Locker all employ this technique to maximize the irreversibility of damage.
MITRE ATT&CK
- Tactic
- Impact
- Technique
- T1490 Inhibit System Recovery
- Canonical reference
- https://attack.mitre.org/techniques/T1490/
Sumo Detection Query
(_sourceCategory=*windows* OR _sourceCategory=*sysmon* OR _sourceCategory=*WinEventLog*)
| where EventID = "1" or EventCode = "1"
| where Image matches "(?i).*(vssadmin|wmic|diskshadow|wbadmin|bcdedit|reagentc)\.exe$"
| where CommandLine matches "(?i).*(delete\\s+shadows|delete\\s+shadow\\s|shadowcopy\\s+delete|delete\\s+catalog|resize\\s+shadowstorage|recoveryenabled|bootstatuspolicy|safeboot|\/disable|-disable).*"
| eval TechniqueCategory = if(
CommandLine matches "(?i).*(delete\\s+shadows|shadowcopy\\s+delete)", "VSS_Delete",
if(CommandLine matches "(?i).*delete\\s+catalog", "BackupCatalog_Delete",
if(CommandLine matches "(?i).*resize\\s+shadowstorage", "VSS_Resize",
if(CommandLine matches "(?i).*(recoveryenabled|bootstatuspolicy|safeboot)", "BCD_Recovery_Disable",
if(CommandLine matches "(?i).*reagentc.*disable", "WinRE_Disable", "Other_Recovery_Inhibit")))))
| fields _messageTime, Computer, User, Image, CommandLine, ParentImage, TechniqueCategory
| sort by _messageTime descSumo Logic query detecting T1490 Inhibit System Recovery via Sysmon EventID 1 process creation events. Matches recovery inhibition binaries (vssadmin, wmic, diskshadow, wbadmin, bcdedit, reagentc) executing with arguments for VSS deletion, backup catalog removal, shadow storage resizing, BCD modification, and WinRE disabling via reagentc. Results are categorized by sub-technique type.
Data Sources
Required Tables
False Positives & Tuning
- Veeam, Acronis, or similar enterprise backup platforms that periodically invoke vssadmin resize shadowstorage to manage snapshot allocation sizes on high-throughput servers
- IT operations runbooks that disable WinRE on servers where OS recovery is handled entirely via PXE boot or external bare-metal restore tooling rather than the local recovery partition
- Disk optimization or storage management utilities executed by infrastructure teams that interact with VSS as part of deduplication or thin-provisioning workflows
Other platforms for T1490
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1VSS Shadow Copy Deletion via vssadmin
Expected signal: Sysmon Event ID 1: Process Create with Image=vssadmin.exe, CommandLine='vssadmin.exe delete shadows /all /quiet'. Security Event ID 4688 (if command line auditing enabled) with same details. Microsoft-Windows-Volume-Shadow-Copy/Operational Event ID 8194 on deletion attempt.
- Test 2VSS Shadow Copy Deletion via WMI
Expected signal: Sysmon Event ID 1: Process Create with Image=wmic.exe, CommandLine='wmic shadowcopy delete'. Security Event ID 4688 with same details. WMI activity logs in Microsoft-Windows-WMI-Activity/Operational.
- Test 3Boot Recovery Disable via bcdedit
Expected signal: Two Sysmon Event ID 1 events: first with CommandLine='bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures', second with CommandLine='bcdedit.exe /set {default} recoveryenabled no'. Security Event ID 4688 for each. Both events fire within milliseconds of each other from the same parent.
- Test 4Windows Backup Catalog Deletion via wbadmin
Expected signal: Sysmon Event ID 1: Process Create with Image=wbadmin.exe, CommandLine='wbadmin.exe delete catalog -quiet'. Security Event ID 4688 with same details. Microsoft-Windows-Backup event log will record the catalog deletion operation.
- Test 5Ryuk-style VSS Storage Resize to Force Deletion
Expected signal: Sysmon Event ID 1: Process Create with Image=vssadmin.exe, CommandLine containing 'resize shadowstorage' and '/maxsize=401MB'. Microsoft-Windows-Volume-Shadow-Copy/Operational events as Windows responds to the reduced quota by discarding existing shadow copies.
References (10)
- https://attack.mitre.org/techniques/T1490/
- https://blog.talosintelligence.com/2018/02/olympic-destroyer.html
- https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html
- https://www.cybereason.com/blog/cybereason-vs.-blackcat-ransomware
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow
- https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware
- https://rhinosecuritylabs.com/aws/s3-ransomware-part-2-prevention-and-defense/
- https://www.zdnet.com/article/ransomware-victims-thought-their-backups-were-safe-they-were-wrong/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation
Unlock Pro Content
Get the full detection package for T1490 including response playbook, investigation guide, and atomic red team tests.