1. Home
  2. Detection Strategies
  3. Behavioral Detection for T1490 - Inhibit System Recovery

Behavioral Detection for T1490 - Inhibit System Recovery

Technique Detected:  Inhibit System Recovery | T1490

ID: DET0329
Domains: Enterprise
Analytics: AN0933, AN0934, AN0935, AN0936, AN0937
Version: 1.0
Created: 21 October 2025
Last Modified: 21 October 2025
Version Permalink

Analytics

AN0933

Process chains that use native utilities (vssadmin, wbadmin, diskshadow, bcdedit, REAgentC, wmic) with arguments to delete shadow copies, disable recovery, or remove backup catalogs

Log Sources
Data Component Name Channel
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
File Deletion (DC0040) WinEventLog:Microsoft-Windows-Backup Windows Backup Catalog deletion or catalog corruption
Service Metadata (DC0041) WinEventLog:System Service stopped or RecoveryDisabled set via REAgentC
Windows Registry Key Modification (DC0063) WinEventLog:Sysmon EventCode=13
Mutable Elements
Field Description
TimeWindow Used to track rapid recovery feature changes over short intervals
CommandLinePattern Can be tuned to catch variations in destructive flags (/all, /quiet, -delete)
ParentProcessContext Tune based on common parent-child chains (e.g., powershell → diskshadow)

AN0934

Shell utilities or scripts deleting /etc/systemd/system/rescue.target, /etc/fstab backups, or /boot/efi partitions; chattr used to block snapshot auto-recovery

Log Sources
Data Component Name Channel
Command Execution (DC0064) auditd:SYSCALL chattr, rm, shred, dd run on recovery directories or partitions
File Deletion (DC0040) auditd:CONFIG_CHANGE /etc/fstab, /etc/systemd/*
Mutable Elements
Field Description
WatchedFilePaths Modify to include specific OS backup configs or LVM snapshots
ShellProcessUser Restrict detection to root or sudo users

AN0935

ESXi shell or vim-cmd execution that deletes all VM snapshots using vmsvc/snapshot.removeall or rm on snapshot paths

Log Sources
Data Component Name Channel
Snapshot Deletion (DC0049) esxi:hostd snapshot.removeall or snapshot file deletion
Mutable Elements
Field Description
TargetVMNames Limit to critical VM names to reduce false positives

AN0936

Execution of erase, format, and reload in immediate sequence from a privileged AAA session

Log Sources
Data Component Name Channel
Command Execution (DC0064) networkdevice:syslog command sequence: erase → format → reload
Mutable Elements
Field Description
CommandSequenceWindow Time between erase and reload command to establish causality
UserPrivilegeLevel Filter for high-privilege user sessions

AN0937

Cloud API calls disabling snapshot scheduling, backup policies, versioning, followed by DeleteSnapshot/DeleteVolume operations

Log Sources
Data Component Name Channel
Snapshot Deletion (DC0049) AWS:CloudTrail DeleteSnapshot
Cloud Storage Deletion (DC0022) AWS:CloudTrail PutBackupVaultAccessPolicy
Mutable Elements
Field Description
UserAgent Tune for legitimate backup automation vs unknown tools
ResourceType Filter only on production images or vaults