edr-win-impact-inhibit-recovery

```yaml title: System Recovery Inhibition id: edr-win-impact-inhibit-recovery status: stable description: > Detects multiple pre-ransomware techniques that inhibit system recovery — shadow copy deletion (vssadmin, wmic, PowerShell WMI), WinRE disabling (bcdedit, reagentc), backup catalog deletion (wbadmin), and targeted event log clearing (wevtutil). These are almost universally executed in the minutes before ransomware detonation. references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-109a - https://blog.talosintelligence.com/new-chaos-ransomware/ author: ShroudCloud date: 2026/04/14 modified: 2026/04/14 tags: - attack.impact - attack.defense_evasion - attack.t1490 - attack.t1070.001 logsource: category: process_creation product: windows detection: selection_bcdedit: Image|endswith: '\bcdedit.exe' CommandLine|contains: 'recoveryenabled no' selection_wbadmin: Image|endswith: '\wbadmin.exe' CommandLine|contains|all: - 'delete' - 'catalog' selection_vssadmin: Image|endswith: - '\vssadmin.exe' - '\diskshadow.exe' CommandLine|contains: 'delete shadows' selection_wmic: Image|endswith: '\wmic.exe' CommandLine|contains|all: - 'shadowcopy' - 'delete' selection_ps_vss: Image|endswith: - '\powershell.exe' - '\pwsh.exe' CommandLine|contains|all: - 'Win32_ShadowCopy' - 'Remove-WmiObject' selection_wevtutil: Image|endswith: '\wevtutil.exe' CommandLine|contains: - 'cl Application' - 'cl Security' - 'cl System' - 'cl Microsoft-Windows-PowerShell' - 'cl Microsoft-Windows-Sysmon' selection_sc_vss: Image|endswith: '\sc.exe' CommandLine|contains|all: - 'vss' - 'stop' selection_reagentc: Image|endswith: '\reagentc.exe' CommandLine|contains: 'disable' filter_legit: ParentCommandLine|contains: - 'cbengine.exe' - 'CitrixOptimizerTool.exe' - 'Visual Studio' condition: (selection_bcdedit or selection_wbadmin or selection_vssadmin or selection_wmic or selection_ps_vss or selection_wevtutil or selection_sc_vss or selection_reagentc) and not filter_legit falsepositives: - Backup software managing shadow copies (Commvault, Citrix Optimizer) - System administrators disabling WinRE during imaging level: medium ```