Adversaries may disable system restore to prevent data recovery after ransomware encryption, which is a common tactic in ransomware attacks targeting critical infrastructure. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential ransomware activity early and mitigate data loss.
KQL Query
DeviceProcessEvents
| where Timestamp > ago(7d)
//Pivoting for rundll32
and InitiatingProcessFileName =~ 'rundll32.exe'
//Looking for empty command line
and InitiatingProcessCommandLine !contains " " and InitiatingProcessCommandLine != ""
//Looking for schtasks.exe as the created process
and FileName in~ ('schtasks.exe')
//Disabling system restore
and ProcessCommandLine has 'Change' and ProcessCommandLine has 'SystemRestore'
and ProcessCommandLine has 'disable'
id: f4c234fd-2889-41b6-ad4b-df257adf882b
name: turn-off-system-restore
description: |
This query was originally published in the threat analytics report, Ransomware continues to hit healthcare, critical services. There is also a related blog.
In April of 2020, security researchers observed multiple ransomware campaigns using the same set of techniques.
The following query detects attempts to stop System Restore, which would prevent the user from recovering data by going back to a restore point.
The See also section below lists more queries related to techniques shared by these campaigns.
Reference - https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
tactics:
- Defense evasion
- Impact
query: |
DeviceProcessEvents
| where Timestamp > ago(7d)
//Pivoting for rundll32
and InitiatingProcessFileName =~ 'rundll32.exe'
//Looking for empty command line
and InitiatingProcessCommandLine !contains " " and InitiatingProcessCommandLine != ""
//Looking for schtasks.exe as the created process
and FileName in~ ('schtasks.exe')
//Disabling system restore
and ProcessCommandLine has 'Change' and ProcessCommandLine has 'SystemRestore'
and ProcessCommandLine has 'disable'
| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: System Restore is disabled as part of a standard Windows 10/11 update or system cleanup task.
Filter/Exclusion: process.name != "systemrestore.exe" OR process.name != "wbemtest.exe"
Scenario: A system administrator manually disables System Restore using the Disable-ComputerRestore PowerShell command during routine maintenance.
Filter/Exclusion: process.name != "powershell.exe" OR process.arguments != "Disable-ComputerRestore"
Scenario: A scheduled task runs to clean up disk space by removing System Restore points.
Filter/Exclusion: process.name != "schtasks.exe" OR process.arguments != "/Run"
Scenario: A backup tool like Veeam or Commvault temporarily disables System Restore during a backup operation.
Filter/Exclusion: process.name != "veeam.exe" OR process.name != "commvault.exe"
Scenario: An IT admin uses Group Policy to disable System Restore across the domain as part of a security hardening policy.
Filter/Exclusion: process.name != "gpupdate.exe" OR process.arguments != "/force"