System Restore Disabled via Registry Modification
Attackers may attempt to disable system restore via registry modifications through the command line to prevent recovery after malicious activity.
Attackers may attempt to disable the Windows System Restore feature to hinder forensic analysis and recovery efforts. This involves modifying specific registry keys related to System Restore configuration and operation, effectively preventing the system from creating or using restore points. The commands are executed via cmd, PowerShell or other scripting engines. Disabling System Restore can allow malware to operate without the risk of easy rollback, potentially increasing the impact of a…
Detection coverage 1
System Restore Registry Modification via CommandLine
highDetects system restore registry modification via command line, which can be used by adversaries to disable system restore on the computer.
Detection queries are kept inside the platform. Get full rules →