Adversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017) Operating systems may contain features that can help fix corrupted systems, such as a backup catalog, volume shadow copies, and automatic repair features. Adversaries may disable or delete system recovery features to augment the effects of Data Destruction and Data Encrypted for Impact.(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017)
A number of native Windows utilities have been used by adversaries to disable or delete system recovery features:
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| AC-3 | Access Enforcement | Protects | T1490 | Inhibit System Recovery | |
| AC-6 | Least Privilege | Protects | T1490 | Inhibit System Recovery | |
| CM-2 | Baseline Configuration | Protects | T1490 | Inhibit System Recovery | |
| CM-6 | Configuration Settings | Protects | T1490 | Inhibit System Recovery | |
| CM-7 | Least Functionality | Protects | T1490 | Inhibit System Recovery | |
| CP-10 | System Recovery and Reconstitution | Protects | T1490 | Inhibit System Recovery | |
| CP-2 | Contingency Plan | Protects | T1490 | Inhibit System Recovery | |
| CP-7 | Alternate Processing Site | Protects | T1490 | Inhibit System Recovery | |
| CP-9 | System Backup | Protects | T1490 | Inhibit System Recovery | |
| SI-3 | Malicious Code Protection | Protects | T1490 | Inhibit System Recovery | |
| SI-4 | System Monitoring | Protects | T1490 | Inhibit System Recovery | |
| SI-7 | Software, Firmware, and Information Integrity | Protects | T1490 | Inhibit System Recovery | |
| action.malware.variety.Disable controls | Disable or interfere with security controls | related-to | T1490 | Inhibit System Recovery | |
| action.malware.variety.Ransomware | Ransomware (encrypt or seize stored data) | related-to | T1490 | Inhibit System Recovery | |
| aws_rds | AWS RDS | technique_scores | T1490 | Inhibit System Recovery |
Comments
AWS RDS generates events for database instances and includes the following event that may indicate that an adversary has attempted to inhibit system recovery.
RDS-EVENT-0028: Automatic backups for this DB instance have been disabled
This mapping is given a score of Partial because it can't differentiate between an authorized and unauthorized disabling of automatic backups.
References
|
| aws_rds | AWS RDS | technique_scores | T1490 | Inhibit System Recovery |
Comments
AWS RDS supports the replication and recovery of database instances. In the event that a database instance is compromised and modified to disrupt recovery, AWS RDS can be used to restore the database instance to a previous point in time. As a result, this mapping is given a score of Significant.
References
|
| aws_cloudendure_disaster_recovery | AWS CloudEndure Disaster Recovery | technique_scores | T1490 | Inhibit System Recovery |
Comments
AWS CloudEndure Disaster Recovery enables the replication and recovery of servers into AWS Cloud. In the event that servers are modified to disrupt recovery, AWS CloudEndure can be used to provision an instance of the server from a previous point in time within minutes. As a result, this mapping is given a score of Significant.
References
|