Register to stream ATT&CKcon 2.0 October 29-30

Inhibit System Recovery

Adversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.[1][2] Operating systems may contain features that can help fix corrupted systems, such as a backup catalog, volume shadow copies, and automatic repair features. Adversaries may disable or delete system recovery features to augment the effects of Data Destruction and Data Encrypted for Impact.[1][2]

A number of native Windows utilities have been used by adversaries to disable or delete system recovery features:

  • vssadmin.exe can be used to delete all volume shadow copies on a system - vssadmin.exe delete shadows /all /quiet
  • Windows Management Instrumentation can be used to delete volume shadow copies - wmic shadowcopy delete
  • wbadmin.exe can be used to delete the Windows Backup Catalog - wbadmin.exe delete catalog -quiet
  • bcdedit.exe can be used to disable automatic Windows recovery features by modifying boot configuration data - bcdedit.exe /set {{default}} bootstatuspolicy ignoreallfailures & bcdedit /set {{default}} recoveryenabled no
ID: T1490
Tactic: Impact
Platform: Windows, macOS, Linux
Permissions Required: Administrator, root, SYSTEM, User
Data Sources: Windows Registry, Services, Windows event logs, Process command-line parameters, Process monitoring
Impact Type: Availability
Contributors: Yonatan Gotlib, Deep Instinct
Version: 1.0

Mitigations

Mitigation Description
Data Backup Consider implementing IT disaster recovery plans that contain procedures for taking regular data backups that can be used to restore organizational data. Ensure backups are stored off system and is protected from common methods adversaries may use to gain access and destroy the backups to prevent recovery.
Operating System Configuration Consider technical controls to prevent the disabling of services or deletion of files involved in system recovery.

Examples

Name Description
H1N1 H1N1 disable recovery options and deletes shadow copies from the victim. [3]
JCry JCry has been observed deleting shadow copies to ensure that data cannot be restored easily. [6]
Olympic Destroyer Olympic Destroyer uses the native Windows utilities vssadmin, wbadmin, and bcdedit to delete and disable operating system recovery features such as the Windows backup catalog and Windows Automatic Repair. [1]
WannaCry WannaCry uses vssadmin, wbadmin, bcdedit, and wmic to delete and disable operating system recovery features. [4] [2] [5]

Detection

Use process monitoring to monitor the execution and command line parameters of binaries involved in inhibiting system recovery, such as vssadmin, wbadmin, and bcdedit. The Windows event logs, ex. Event ID 524 indicating a system catalog was deleted, may contain entries associated with suspicious activity.

Monitor the status of services involved in system recovery. Monitor the registry for changes associated with system recovery features (ex: the creation of HKEY_CURRENT_USER\Software\Policies\Microsoft\PreviousVersions\DisableLocalPage).

References