Adversaries may delete or remove built-in data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017) This may deny access to available backups and recovery options.
Operating systems may contain features that can help fix corrupted systems, such as a backup catalog, volume shadow copies, and automatic repair features. Adversaries may disable or delete system recovery features to augment the effects of Data Destruction and Data Encrypted for Impact.(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017) Furthermore, adversaries may disable recovery notifications, then corrupt backups.(Citation: disable_notif_synology_ransom)
A number of native Windows utilities have been used by adversaries to disable or delete system recovery features:
On network devices, adversaries may leverage Disk Wipe to delete backup firmware images and reformat the file system, then System Shutdown/Reboot to reload the device. Together this activity may leave network devices completely inoperable and inhibit recovery operations.
On ESXi servers, adversaries may delete or encrypt snapshots of virtual machines to support Data Encrypted for Impact, preventing them from being leveraged as backups (e.g., via vim-cmd vmsvc/snapshot.removeall).(Citation: Cybereason)
Adversaries may also delete “online” backups that are connected to their network – whether via network storage media or through folders that sync to cloud services.(Citation: ZDNet Ransomware Backups 2020) In cloud environments, adversaries may disable versioning and backup policies and delete snapshots, database backups, machine images, and prior versions of objects designed to be used in disaster recovery scenarios.(Citation: Dark Reading Code Spaces Cyber Attack)(Citation: Rhino Security Labs AWS S3 Ransomware)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| IAM-16 | Authorization Mechanisms | mitigates | T1490 | Inhibit System Recovery |
Comments
This control requires both CSP and CSC to independently enforce formal approval processes for user access, implement dynamic and explicit authorization mechanisms. The guidance focuses on implementing technical measures to verify authorization and prevent unauthorized access and execution.
References
|
| I&S-04 | OS Hardening and Base Controls | mitigates | T1490 | Inhibit System Recovery |
Comments
This control implements secure configuration best practices for hardening cloud platforms to mitigate adversary exploitation and abuse of system functionality. Implement application controls and technical controls to prevent adversaries from disabling versioning and backup policies and deleting files involved in disaster recovery scenarios.
References
|
| UEM-05 | Endpoint Management | mitigates | T1490 | Inhibit System Recovery |
Comments
This control provides for the implementation of best practices for endpoint management. Proper security configurations, limited system access, and application control can help mitigate the risk of adversaries deleting or removing built-in data and turning off services designed to aid in the recovery of a corrupted system.
References
|
| BCR-08 | Backup | mitigates | T1490 | Inhibit System Recovery |
Comments
Adversaries may delete or remove built-in data and turn off services designed to aid in recovery, disable versioning and backup policies and delete snapshots, database backups, machine images, and prior versions of objects designed to be used in disaster recovery scenarios. Periodically backing up data stored in the cloud; ensuring backup confidentiality, integrity, and availability; and verifying data restoration from backup provides data protection and allows for quick recovery from attacks intended to prevent recovery.
References
|
| IAM-05 | Least Privilege | mitigates | T1490 | Inhibit System Recovery |
Comments
This control describes the enforcement of the principle of least privilege implementing controls such as regular automated reviews of access permissions, enforcing MFA for high-risk accounts, promptly revoking unused privileges, and by limiting access to sensitive data.
Adversaries has been observed using this technique to delete backup files and disable any restoration capabilties. For this technique, in terms of mitigation, limit the user accounts that have access to backups to only those required. For example, in AWS environments, consider using Service Control Policies to restrict API calls to delete backups, snapshots, and images.
References
|
| DSP-16 | Data Retention and Deletion | mitigates | T1490 | Inhibit System Recovery |
Comments
This control describes the shared responsibility of both the CSP and CSC for securely managing data retention, archiving, and deletion across all cloud service models. Implementation involves establishing secure tools and processes for data retention, configuring backups, enforcing retention policies, and maintaining safeguards within each party’s environment. For this technique, in cloud environments, adversaries may disable versioning and backup policies and delete snapshots, database backups, machine images, and prior versions of objects designed to be used in disaster recovery scenarios.
In terms of mitigation, enable versioning on storage objects where possible within the cloud environment, and copy backups to other accounts or regions to isolate them from the original copies can aid with lessening the impact of this technique.
References
|
| UEM-14 | Third-Party Endpoint Security Posture | mitigates | T1490 | Inhibit System Recovery |
Comments
This control provides for the implementation of best practices for third-party endpoint management. Proper security configurations, limited system access, and application control can help mitigate the risk of adversaries deleting or removing built-in data and turning off services designed to aid in the recovery of a corrupted system.
References
|
| DCS-18 | Datacenter Operations Resilience | mitigates | T1490 | Inhibit System Recovery |
Comments
Adversaries may delete or remove built-in data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery. This control establishes and regularly evaluates processes, procedures, and technical measures to ensure continuous operations of the datacenter, mitigating attacker techniques such as denial‑of‑service and other availability‑impacting attacks that seek to disrupt business and operational continuity.
References
|