禁止系统恢复

攻击者可能会删除或删除内置的操作系统数据，并关闭旨在帮助恢复已损坏系统以防止恢复的服务。操作系统可能包含有助于修复损坏的系统的功能，例如备份目录，卷影副本和自动修复功能。攻击者可能会禁用或删除系统恢复功能，以增强“数据销毁”和“ 加密影响力”的效果。

攻击者已使用许多本地Windows实用程序来禁用或删除系统恢复功能：

• vssadmin.exe 可用于删除系统上的所有卷影副本- vssadmin.exe delete shadows /all /quiet
• Windows Management Instrumentation (T1047 Windows管理规范)可用于删除卷影副本-wmic shadowcopy delete
• wbadmin.exe 可用于删除Windows备份目录- wbadmin.exe delete catalog -quiet
• bcdedit.exe 可通过修改启动配置数据来禁用Windows自动恢复功能- bcdedit.exe /set bootstatuspolicy ignoreallfailures & bcdedit /set recoveryenabled no

Inhibit System Recovery

Adversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.Operating systems may contain features that can help fix corrupted systems, such as a backup catalog, volume shadow copies, and automatic repair features. Adversaries may disable or delete system recovery features to augment the effects of Data Destruction and Data Encrypted for Impact.

A number of native Windows utilities have been used by adversaries to disable or delete system recovery features:

vssadmin.exe can be used to delete all volume shadow copies on a system - vssadmin.exe delete shadows /all /quiet Windows Management Instrumentation can be used to delete volume shadow copies - wmic shadowcopy delete wbadmin.exe can be used to delete the Windows Backup Catalog - wbadmin.exe delete catalog -quiet bcdedit.exe can be used to disable automatic Windows recovery features by modifying boot configuration data - bcdedit.exe /set bootstatuspolicy ignoreallfailures & bcdedit /set recoveryenabled no

缓解措施

缓解	描述
数据备份	考虑实施IT灾难恢复计划，其中包含用于进行可用于还原组织数据的常规数据备份的过程。确保备份存储在系统之外，并且免受攻击者可能用来获取访问权限并破坏备份以防止恢复的常见方法的攻击。
操作系统配置	考虑使用技术控制来防止服务禁用或删除系统恢复中涉及的文件。

Mitigation	Description
Data Backup	Consider implementing IT disaster recovery plans that contain procedures for taking regular data backups that can be used to restore organizational data. Ensure backups are stored off system and is protected from common methods adversaries may use to gain access and destroy the backups to prevent recovery.
Operating System Configuration	Consider technical controls to prevent the disabling of services or deletion of files involved in system recovery.

检测

使用进程检测来检测禁止系统恢复的二进制文件的执行和命令行参数，例如vssadmin，wbadmin和bcdedit。Windows事件日志，例如。指示系统目录已删除的事件ID 524可能包含与可疑活动相关的条目。

检测系统恢复中涉及的服务的状态。检测注册表中与系统恢复功能相关的更改（例如：创建HKEY_CURRENT_USER\Software\Policies\Microsoft\PreviousVersions\DisableLocalPage）。

Use process monitoring to monitor the execution and command line parameters of binaries involved in inhibiting system recovery, such as vssadmin, wbadmin, and bcdedit. The Windows event logs, ex. Event ID 524 indicating a system catalog was deleted, may contain entries associated with suspicious activity.

Monitor the status of services involved in system recovery. Monitor the registry for changes associated with system recovery features (ex: the creation of HKEY_CURRENT_USER\Software\Policies\Microsoft\PreviousVersions\DisableLocalPage).