Skip to content

Latest commit

 

History

History
128 lines (63 loc) · 4.35 KB

T1490.md

File metadata and controls

128 lines (63 loc) · 4.35 KB

T1490 - Inhibit System Recovery

Description from ATT&CK

Adversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017) Operating systems may contain features that can help fix corrupted systems, such as a backup catalog, volume shadow copies, and automatic repair features. Adversaries may disable or delete system recovery features to augment the effects of [Data Destruction](https://attack.mitre.org/techniques/T1485) and [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486).(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017)

A number of native Windows utilities have been used by adversaries to disable or delete system recovery features:

  • vssadmin.exe can be used to delete all volume shadow copies on a system - vssadmin.exe delete shadows /all /quiet
  • Windows Management Instrumentation can be used to delete volume shadow copies - wmic shadowcopy delete
  • wbadmin.exe can be used to delete the Windows Backup Catalog - wbadmin.exe delete catalog -quiet
  • bcdedit.exe can be used to disable automatic Windows recovery features by modifying boot configuration data - bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no

Atomic Tests


Atomic Test #1 - Windows - Delete Volume Shadow Copies

Deletes Windows Volume Shadow Copies. This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer.

Supported Platforms: Windows

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

vssadmin.exe delete shadows /all /quiet


Atomic Test #2 - Windows - Delete Volume Shadow Copies via WMI

Deletes Windows Volume Shadow Copies via WMI. This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer.

Supported Platforms: Windows

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

wmic.exe shadowcopy delete


Atomic Test #3 - Windows - Delete Windows Backup Catalog

Deletes Windows Backup Catalog. This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer.

Supported Platforms: Windows

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

wbadmin.exe delete catalog -quiet


Atomic Test #4 - Windows - Disable Windows Recovery Console Repair

Disables repair by the Windows Recovery Console on boot. This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer.

Supported Platforms: Windows

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
bcdedit.exe /set {default} recoveryenabled no


Atomic Test #5 - Windows - Delete Volume Shadow Copies via WMI with PowerShell

Deletes Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil. Executes Get-WMIObject

Supported Platforms: Windows

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

powershell.exe -Command "Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}"