Adversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017) Operating systems may contain features that can help fix corrupted systems, such as a backup catalog, volume shadow copies, and automatic repair features. Adversaries may disable or delete system recovery features to augment the effects of Data Destruction and Data Encrypted for Impact.(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017)
A number of native Windows utilities have been used by adversaries to disable or delete system recovery features:
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
---|---|---|---|---|
AC-3 | Access Enforcement | Protects | T1490 | Inhibit System Recovery |
AC-6 | Least Privilege | Protects | T1490 | Inhibit System Recovery |
CM-2 | Baseline Configuration | Protects | T1490 | Inhibit System Recovery |
CM-6 | Configuration Settings | Protects | T1490 | Inhibit System Recovery |
CM-7 | Least Functionality | Protects | T1490 | Inhibit System Recovery |
CP-10 | System Recovery and Reconstitution | Protects | T1490 | Inhibit System Recovery |
CP-2 | Contingency Plan | Protects | T1490 | Inhibit System Recovery |
CP-7 | Alternate Processing Site | Protects | T1490 | Inhibit System Recovery |
CP-9 | System Backup | Protects | T1490 | Inhibit System Recovery |
SI-3 | Malicious Code Protection | Protects | T1490 | Inhibit System Recovery |
SI-4 | System Monitoring | Protects | T1490 | Inhibit System Recovery |
SI-7 | Software, Firmware, and Information Integrity | Protects | T1490 | Inhibit System Recovery |
azure_sentinel | Azure Sentinel | technique_scores | T1490 | Inhibit System Recovery |