T1490 Inhibit System Recovery Mappings

Adversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017) Operating systems may contain features that can help fix corrupted systems, such as a backup catalog, volume shadow copies, and automatic repair features. Adversaries may disable or delete system recovery features to augment the effects of Data Destruction and Data Encrypted for Impact.(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017)

A number of native Windows utilities have been used by adversaries to disable or delete system recovery features:

  • <code>vssadmin.exe</code> can be used to delete all volume shadow copies on a system - <code>vssadmin.exe delete shadows /all /quiet</code>
  • Windows Management Instrumentation can be used to delete volume shadow copies - <code>wmic shadowcopy delete</code>
  • <code>wbadmin.exe</code> can be used to delete the Windows Backup Catalog - <code>wbadmin.exe delete catalog -quiet</code>
  • <code>bcdedit.exe</code> can be used to disable automatic Windows recovery features by modifying boot configuration data - <code>bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no</code>
View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-3 Access Enforcement Protects T1490 Inhibit System Recovery
AC-6 Least Privilege Protects T1490 Inhibit System Recovery
CM-2 Baseline Configuration Protects T1490 Inhibit System Recovery
CM-6 Configuration Settings Protects T1490 Inhibit System Recovery
CM-7 Least Functionality Protects T1490 Inhibit System Recovery
CP-10 System Recovery and Reconstitution Protects T1490 Inhibit System Recovery
CP-2 Contingency Plan Protects T1490 Inhibit System Recovery
CP-7 Alternate Processing Site Protects T1490 Inhibit System Recovery
CP-9 System Backup Protects T1490 Inhibit System Recovery
SI-3 Malicious Code Protection Protects T1490 Inhibit System Recovery
SI-4 System Monitoring Protects T1490 Inhibit System Recovery
SI-7 Software, Firmware, and Information Integrity Protects T1490 Inhibit System Recovery
azure_sentinel Azure Sentinel technique_scores T1490 Inhibit System Recovery