EXPLORE
Sign In
← Back to Explore
T1490

Inhibit System Recovery

Adversaries may delete or remove built-in data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017) This may deny access to available backups and recovery options. Operating systems may contain features that can help fix corrupted systems, such as a backup catalog, volume shadow copies, and automatic repair features. Adversaries may disable or delete system recovery features to a...

ContainersESXiIaaSLinuxmacOSNetwork DevicesWindows
56
Detections
3
Sources
6
Threat Actors

BY SOURCE

22sigma18elastic16splunk_escu

PROCEDURES (34)

Process Creation Monitoring4 detections

Auto-extracted: 4 detections for process creation monitoring

Azure4 detections

Auto-extracted: 4 detections for azure

Ransomware4 detections

Auto-extracted: 4 detections for ransomware

Aws3 detections

Auto-extracted: 3 detections for aws

Module Load Monitoring2 detections

Auto-extracted: 2 detections for module load monitoring

Shadow Cop2 detections

Auto-extracted: 2 detections for shadow cop

Ntds2 detections

Auto-extracted: 2 detections for ntds

Powershell2 detections

Auto-extracted: 2 detections for powershell

Shadow Cop2 detections

Auto-extracted: 2 detections for shadow cop

Wmi2 detections

Auto-extracted: 2 detections for wmi

Cloud2 detections

Auto-extracted: 2 detections for cloud

Persist2 detections

Auto-extracted: 2 detections for persist

Registry2 detections

Auto-extracted: 2 detections for registry

Tamper2 detections

Auto-extracted: 2 detections for tamper

Ransomware2 detections

Auto-extracted: 2 detections for ransomware

Ransomware1 detections

Auto-extracted: 1 detections for ransomware

Bypass1 detections

Auto-extracted: 1 detections for bypass

Event Log1 detections

Auto-extracted: 1 detections for event log

Credential1 detections

Auto-extracted: 1 detections for credential

Event Log1 detections

Auto-extracted: 1 detections for event log

Cloud Monitoring1 detections

Auto-extracted: 1 detections for cloud monitoring

Azure1 detections

Auto-extracted: 1 detections for azure

Service1 detections

Auto-extracted: 1 detections for service

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Bypass1 detections

Auto-extracted: 1 detections for bypass

Registry1 detections

Auto-extracted: 1 detections for registry

Powershell1 detections

Auto-extracted: 1 detections for powershell

Powershell1 detections

Auto-extracted: 1 detections for powershell

Remote1 detections

Auto-extracted: 1 detections for remote

General Monitoring1 detections

Auto-extracted: 1 detections for general monitoring

Remote1 detections

Auto-extracted: 1 detections for remote

File Monitoring1 detections

Auto-extracted: 1 detections for file monitoring

Remote1 detections

Auto-extracted: 1 detections for remote

Service1 detections

Auto-extracted: 1 detections for service

THREAT ACTORS (6)

BlackByteMedusa GroupSandworm TeamScattered SpiderStorm-0501Wizard Spider

DETECTIONS (56)

All Backups Deleted Via Wbadmin.EXE
sigmahigh
ASL AWS Disable Bucket Versioning
splunk_escu
AWS Disable Bucket Versioning
splunk_escu
AWS EC2 EBS Snapshot Access Removed
elasticmedium
AWS RDS Snapshot Deleted
elasticmedium
AWS S3 Bucket Configuration Deletion
elasticlow
AWS S3 Bucket Versioning Disable
sigmamedium
AWS S3 Object Versioning Suspended
elasticmedium
Azure Compute Restore Point Collection Deleted by Unusual User
elasticmedium
Azure Compute Restore Point Collections Deleted
elastichigh
Azure Compute Snapshot Deletion by Unusual User and Resource Group
elasticlow
Azure Compute Snapshot Deletions by User
elasticmedium
Azure Resource Group Deleted
elasticmedium
Backup Deletion with Wbadmin
elasticlow
Backup Files Deleted
sigmamedium
Bcdedit Command Back To Normal Mode Boot
splunk_escu
BCDEdit Failure Recovery Modification
splunk_escu
Boot Configuration Tampering Via Bcdedit.EXE
sigmahigh
Change To Safe Mode With Network Config
splunk_escu
Cisco Modify Configuration
sigmamedium
Copy From VolumeShadowCopy Via Cmd.EXE
sigmahigh
Delete ShadowCopy With PowerShell
splunk_escu
Delete Volume Shadow Copies Via WMI With PowerShell
sigmahigh
Deleting Shadow Copies
splunk_escu
Deletion of Volume Shadow Copies via WMI with PowerShell
sigmahigh
Deletion of Volume Shadow Copies via WMI with PowerShell - PS Script
sigmahigh
Disabling SystemRestore In Registry
splunk_escu
File Recovery From Backup Via Wbadmin.EXE
sigmamedium
Modification of Boot Configuration
elasticlow
New File Exclusion Added To Time Machine Via Tmutil - MacOS
sigmamedium
New Root or CA or AuthRoot Certificate to Store
sigmamedium
Potential Ransomware Note File Dropped via SMB
elastichigh
Potential System Tampering via File Modification
elastichigh
Potentially Suspicious Volume Shadow Copy Vsstrace.dll Load
sigmamedium
Prevent Automatic Repair Mode using Bcdedit
splunk_escu
Registry Disable System Restore
sigmahigh
Resize ShadowStorage volume
splunk_escu
Sensitive File Access Via Volume Shadow Copy Backup
sigmahigh
Shadow Copies Deletion Using Operating Systems Utilities
sigmahigh
Suspicious File Renamed via SMB
elastichigh
Suspicious Volume Shadow Copy VSS_PS.dll Load
sigmahigh
Suspicious Volume Shadow Copy Vssapi.dll Load
sigmahigh
Third-party Backup Files Deleted via Unexpected Process
elasticmedium
Time Machine Backup Deletion Attempt Via Tmutil - MacOS
sigmamedium
Time Machine Backup Disabled Via Tmutil - MacOS
sigmamedium
Volume Shadow Copy Deleted or Resized via VssAdmin
elastichigh
Volume Shadow Copy Deletion via PowerShell
elastichigh
Volume Shadow Copy Deletion via WMIC
elastichigh
WBAdmin Delete System Backups
splunk_escu
Windows Backup Deleted Via Wbadmin.EXE
sigmamedium
Windows BitLocker Suspicious Command Usage
splunk_escu
Windows Cisco Secure Endpoint Related Service Stopped
splunk_escu
Windows Recovery Environment Disabled Via Reagentc
sigmamedium
Windows Security And Backup Services Stop
splunk_escu
Windows WBAdmin File Recovery From Backup
splunk_escu
Windows WMIC Shadowcopy Delete
splunk_escu