{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/t1490/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["medium"],"_cs_tags":["impact","t1490","persistence"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers may disable the Windows System Restore feature to prevent victims from easily reverting their systems to a clean state after an infection or other malicious activity. This action complicates incident response and remediation efforts, forcing more complex and time-consuming recovery procedures. Disabling system restore is often performed post-compromise to ensure persistence and hinder forensic analysis. This technique can be implemented manually through the registry editor or via automated scripts, making it accessible to a wide range of threat actors.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial access is gained through various methods (e.g., phishing, exploitation).\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges to Administrator or SYSTEM.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003ereg.exe\u003c/code\u003e or PowerShell to modify registry keys.\u003c/li\u003e\n\u003cli\u003eThe attacker targets the \u003ccode\u003eHKLM\\Software\\Policies\\Microsoft\\Windows NT\\SystemRestore\\DisableConfig\u003c/code\u003e registry key.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker targets the \u003ccode\u003eHKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\SystemRestore\\DisableSR\u003c/code\u003e registry key.\u003c/li\u003e\n\u003cli\u003eThe attacker sets the value of the targeted registry key to \u003ccode\u003eDWORD:00000001\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker confirms the System Restore feature is disabled.\u003c/li\u003e\n\u003cli\u003eThe attacker proceeds with further malicious activities, knowing that recovery is hindered.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eDisabling System Restore can significantly impede recovery efforts following a cyber incident. Organizations may face longer downtimes and increased costs associated with manual system reimaging or advanced forensic analysis. The absence of readily available restore points can also lead to data loss if systems are severely damaged or encrypted.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eRegistry Disable System Restore\u003c/code\u003e to your SIEM to detect malicious attempts to disable System Restore via registry modification.\u003c/li\u003e\n\u003cli\u003eMonitor registry modifications related to System Restore configurations, focusing on the keys \u003ccode\u003e\\Policies\\Microsoft\\Windows NT\\SystemRestore\u003c/code\u003e and \u003ccode\u003e\\Microsoft\\Windows NT\\CurrentVersion\\SystemRestore\u003c/code\u003e, and values set to \u003ccode\u003eDWORD (0x00000001)\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eImplement strict access controls to prevent unauthorized modification of registry settings.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-disable-system-restore/","summary":"Attackers disable Windows System Restore by modifying specific registry keys to hinder recovery efforts after malicious activity.","title":"Windows System Restore Disabled via Registry Modification","url":"https://feed.craftedsignal.io/briefs/2024-01-03-disable-system-restore/"}],"language":"en","title":"CraftedSignal Threat Feed — T1490","version":"https://jsonfeed.org/version/1.1"}