Home
ATT&CK Techniques
T1490 Inhibit System Recovery

T1490 Inhibit System Recovery

Adversaries may delete or remove built-in data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017) This may deny access to available backups and recovery options.

Operating systems may contain features that can help fix corrupted systems, such as a backup catalog, volume shadow copies, and automatic repair features. Adversaries may disable or delete system recovery features to augment the effects of Data Destruction and Data Encrypted for Impact.(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017) Furthermore, adversaries may disable recovery notifications, then corrupt backups.(Citation: disable_notif_synology_ransom)

A number of native Windows utilities have been used by adversaries to disable or delete system recovery features:

<code>vssadmin.exe</code> can be used to delete all volume shadow copies on a system - <code>vssadmin.exe delete shadows /all /quiet</code>
Windows Management Instrumentation can be used to delete volume shadow copies - <code>wmic shadowcopy delete</code>
<code>wbadmin.exe</code> can be used to delete the Windows Backup Catalog - <code>wbadmin.exe delete catalog -quiet</code>
<code>bcdedit.exe</code> can be used to disable automatic Windows recovery features by modifying boot configuration data - <code>bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no</code>
<code>REAgentC.exe</code> can be used to disable Windows Recovery Environment (WinRE) repair/recovery options of an infected system
<code>diskshadow.exe</code> can be used to delete all volume shadow copies on a system - <code>diskshadow delete shadows all</code> (Citation: Diskshadow) (Citation: Crytox Ransomware)

On network devices, adversaries may leverage Disk Wipe to delete backup firmware images and reformat the file system, then System Shutdown/Reboot to reload the device. Together this activity may leave network devices completely inoperable and inhibit recovery operations.

Adversaries may also delete “online” backups that are connected to their network – whether via network storage media or through folders that sync to cloud services.(Citation: ZDNet Ransomware Backups 2020) In cloud environments, adversaries may disable versioning and backup policies and delete snapshots, database backups, machine images, and prior versions of objects designed to be used in disaster recovery scenarios.(Citation: Dark Reading Code Spaces Cyber Attack)(Citation: Rhino Security Labs AWS S3 Ransomware)

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name	Notes
PR.PS-01.01	Configuration baselines	Mitigates	T1490	Inhibit System Recovery	Comments This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation. References
PR.PS-01.02	Least functionality	Mitigates	T1490	Inhibit System Recovery	Comments This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques. References
PR.IR-03.01	Alternative resilience mechanisms	Mitigates	T1490	Inhibit System Recovery	Comments This diagnostic statement protects against Inhibit System Recovery through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services. References
PR.DS-11.01	Data backup and replication	Mitigates	T1490	Inhibit System Recovery	Comments This diagnostic statement provides protection from adversaries that try to remove built in data and/or turn off services that are used to help with the recovery of corrupted systems. Ensuring backups are stored off system and is protected from common methods adversaries may use to gain access and destroy the backups to prevent recovery is a way to deny adversaries access to available backup and recovery options References
PR.PS-01.03	Configuration deviation	Mitigates	T1490	Inhibit System Recovery	Comments This diagnostic statement provides protection from Inhibit System Recovery through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations. References
ID.IM-02.06	Accurate data recovery	Mitigates	T1490	Inhibit System Recovery	Comments This diagnostic statement emphasizes the facilitation of data recovery through the implementation of robust data backup strategies, comprehensive disaster recovery plans, and effective business continuity frameworks, specifically designed to address scenarios in which adversaries may attempt to hinder the recovery of a compromised system. References
PR.AA-01.01	Identity and credential management	Mitigates	T1490	Inhibit System Recovery	Comments This diagnostic statement protects against Inhibit System Recovery through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. References

NIST 800-53 Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name
CM-06	Configuration Settings	mitigates	T1490	Inhibit System Recovery
CP-07	Alternate Processing Site	mitigates	T1490	Inhibit System Recovery
CP-10	System Recovery and Reconstitution	mitigates	T1490	Inhibit System Recovery
CP-02	Contingency Plan	mitigates	T1490	Inhibit System Recovery
CP-09	System Backup	mitigates	T1490	Inhibit System Recovery
SI-03	Malicious Code Protection	mitigates	T1490	Inhibit System Recovery
SI-07	Software, Firmware, and Information Integrity	mitigates	T1490	Inhibit System Recovery
CM-02	Baseline Configuration	mitigates	T1490	Inhibit System Recovery
CM-07	Least Functionality	mitigates	T1490	Inhibit System Recovery
SI-04	System Monitoring	mitigates	T1490	Inhibit System Recovery
AC-02	Account Management	mitigates	T1490	Inhibit System Recovery
AC-03	Access Enforcement	mitigates	T1490	Inhibit System Recovery
AC-06	Least Privilege	mitigates	T1490	Inhibit System Recovery

VERIS Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name
action.malware.variety.Disable controls	Disable or interfere with security controls	related-to	T1490	Inhibit System Recovery
action.malware.variety.Ransomware	Ransomware (encrypt or seize stored data)	related-to	T1490	Inhibit System Recovery
attribute.availability.variety.Loss	Loss	related-to	T1490	Inhibit System Recovery

Azure Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name	Notes
microsoft_sentinel	Microsoft Sentinel	technique_scores	T1490	Inhibit System Recovery	Comments The Microsoft Sentinel Analytics "Sensitive Azure Key Vault Operations" query can identify potential attacker activity intended to interfere with backups. References https://learn.microsoft.com/en-us/azure/sentinel/overview https://learn.microsoft.com/en-us/azure/sentinel/hunting

GCP Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name	Notes
backup_and_dr_actifiogo	Backup and DR-Actifio GO	technique_scores	T1490	Inhibit System Recovery	Comments Backup and DR-Actifio GO is a copy data management plaform that virtualizes application data to improve an organizations resiliency and cloud mobility. This capability allows an organization to take regular backups and provides several methods of restoring applications and/or VM data to a previous state. This provides significant ability to respond to an adversary deleting or removing built-in operating system data and services since an organization could restore system and services back to the latest backup. References ['https://cloud.google.com/backup-disaster-recovery/docs/configuration/cbb' 'https://cloud.google.com/backup-disaster-recovery']

AWS Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name	Notes
aws_cloudendure_disaster_recovery	AWS CloudEndure Disaster Recovery	technique_scores	T1490	Inhibit System Recovery	Comments AWS CloudEndure Disaster Recovery enables the replication and recovery of servers into AWS Cloud. In the event that servers are modified to disrupt recovery, AWS CloudEndure can be used to provision an instance of the server from a previous point in time within minutes. As a result, this mapping is given a score of Significant. References https://aws.amazon.com/cloudendure-disaster-recovery/ https://docs.cloudendure.com/#Configuring_and_Running_Disaster_Recovery/Configuring_and_Running_Disaster_Recovery.htm
aws_rds	AWS RDS	technique_scores	T1490	Inhibit System Recovery	Comments AWS RDS generates events for database instances and includes the following event that may indicate that an adversary has attempted to inhibit system recovery. RDS-EVENT-0028: Automatic backups for this DB instance have been disabled This mapping is given a score of Partial because it can't differentiate between an authorized and unauthorized disabling of automatic backups. References https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html
aws_rds	AWS RDS	technique_scores	T1490	Inhibit System Recovery	Comments AWS RDS supports the replication and recovery of database instances. In the event that a database instance is compromised and modified to disrupt recovery, AWS RDS can be used to restore the database instance to a previous point in time. As a result, this mapping is given a score of Significant. References https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html