title: Inhibit System Recovery (T1490)
id: df00tech-t1490
status: experimental
description: "Adversaries may delete or remove built-in data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery. This includes deleting Volume Shadow Copies (VSS), disabling Windows Recovery Environment (WinRE), clearing backup catalogs, and modifying Boot Configuration Data (BCD). This technique is almost universally observed as a pre-encryption step in ransomware attacks, executed within seconds to minutes before the encryption payload is launched. Real-world ransomware families including Ryuk, Black Basta, Medusa, RobbinHood, WastedLocker, EKANS, and Ragnar Locker all employ this technique to maximize the irreversibility of damage."
references:
  - https://attack.mitre.org/techniques/T1490/
  - https://df00tech.com/detections/T1490
author: df00tech
date: 2026/04/13
tags:
  - attack.t1490
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Backup software agents (Veeam, Acronis, Veritas) that manage VSS snapshots as part of their own backup rotation — typically run under dedicated service accounts from known installation paths"
  - System administrators manually reclaiming disk space by deleting old shadow copies on storage-constrained systems
  - "IT operations scripts that adjust BCD settings during OS migration, sysprep, or imaging workflows"
  - Disaster recovery testing procedures that exercise backup and recovery tools in controlled maintenance windows
  - Windows Update and major feature updates that temporarily modify BCD settings during staged upgrades
level: high