Adversaries may disable System Restore to prevent data recovery and hinder forensic analysis, which is a common tactic in ransomware attacks. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential ransomware activity early and mitigate impact on critical healthcare systems.
KQL Query
DeviceProcessEvents
| where Timestamp > ago(7d)
// Pivoting for rundll32
and InitiatingProcessFileName =~ 'rundll32.exe'
// Looking for empty command line
and isnotempty(InitiatingProcessCommandLine)
// Looking for schtasks.exe as the created process
and FileName in~ ('schtasks.exe')
// Disabling system restore
and ProcessCommandLine has 'Change' and ProcessCommandLine has 'SystemRestore'
and ProcessCommandLine has 'disable'
id: c6387bdd-c0ee-4b88-bbc2-3897586ecdda
name: Ransomware hits healthcare - Turning off System Restore
description: |
Find attempts to stop System Restore and.
Prevent the system from creating restore points.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
query: |
DeviceProcessEvents
| where Timestamp > ago(7d)
// Pivoting for rundll32
and InitiatingProcessFileName =~ 'rundll32.exe'
// Looking for empty command line
and isnotempty(InitiatingProcessCommandLine)
// Looking for schtasks.exe as the created process
and FileName in~ ('schtasks.exe')
// Disabling system restore
and ProcessCommandLine has 'Change' and ProcessCommandLine has 'SystemRestore'
and ProcessCommandLine has 'disable'
| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: System Restore Disabled via Group Policy
Description: An administrator disables System Restore through Group Policy to enforce a more secure configuration.
Filter/Exclusion: Check for EventID 1000 with EventSource GroupPolicy and EventMessage indicating policy change related to System Restore.
Scenario: Scheduled Task to Clean Up Restore Points
Description: A legitimate scheduled task runs to clean up old restore points as part of disk space management.
Filter/Exclusion: Filter by TaskName or CommandLine containing known cleanup tools like vssadmin or cleanmgr.exe.
Scenario: System Restore Disabled by IT Support for Patching
Description: IT disables System Restore temporarily to apply critical system patches or updates.
Filter/Exclusion: Check for EventID 6008 or EventID 6006 related to system reboot or patching events, and correlate with EventID 1000 for policy changes.
Scenario: Third-Party Backup Tool Disables System Restore
Description: A third-party backup solution disables System Restore to prevent interference with its own backup process.
Filter/Exclusion: Check for ProcessName containing known backup tools like Veeam.exe, Commvault.exe, or Acronis.exe.
Scenario: User Accidentally Disables System Restore
Description: A user mistakenly disables System Restore through the System Properties settings.
Filter/Exclusion: Filter by UserAccount or EventMessage indicating a user-initiated change, and check for EventID 1000 with EventSource User32 or Explorer.