Adversaries may disable System Restore to eliminate the ability to recover data encrypted by ransomware. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential ransomware activity and mitigate data loss risks.
KQL Query
DeviceProcessEvents
//Pivoting for rundll32
| where InitiatingProcessFileName =~ 'rundll32.exe'
//Looking for empty command line
and InitiatingProcessCommandLine !contains " " and InitiatingProcessCommandLine != ""
//Looking for schtasks.exe as the created process
and FileName in~ ('schtasks.exe')
//Disabling system restore
and ProcessCommandLine has 'Change' and ProcessCommandLine has 'SystemRestore'
and ProcessCommandLine has 'disable'
id: 5de97d18-b12b-4acf-9c3e-c96a67e80312
name: Turning off System Restore
description: |
This query identifies attempts to stop System Restore and prevent the system from creating restore points, which can be used to recover data encrypted by ransomware
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
tactics:
- Ransomware
query: |
DeviceProcessEvents
//Pivoting for rundll32
| where InitiatingProcessFileName =~ 'rundll32.exe'
//Looking for empty command line
and InitiatingProcessCommandLine !contains " " and InitiatingProcessCommandLine != ""
//Looking for schtasks.exe as the created process
and FileName in~ ('schtasks.exe')
//Disabling system restore
and ProcessCommandLine has 'Change' and ProcessCommandLine has 'SystemRestore'
and ProcessCommandLine has 'disable'
| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: System Restore disabled via Group Policy
Description: An administrator disables System Restore through Group Policy to comply with corporate imaging or endpoint management policies.
Filter/Exclusion: Check for EventID 1000 with EventSource GroupPolicy and EventMessage indicating policy change related to System Restore.
Scenario: Scheduled Task to clean up restore points
Description: A legitimate scheduled task runs to clean up old restore points as part of disk space management or compliance with retention policies.
Filter/Exclusion: Filter by ProcessName schtasks.exe and check for task names like CleanupSystemRestorePoints or similar.
Scenario: System Restore disabled during OS deployment
Description: During a standard OS deployment or imaging process, System Restore is disabled to ensure a clean state.
Filter/Exclusion: Check for EventID 6008 (unexpected shutdown) or EventID 6006 (system event log) with timestamps matching deployment windows.
Scenario: Admin task to remove restore points manually
Description: An administrator manually removes restore points using the vssadmin command or the System Properties UI as part of routine maintenance.
Filter/Exclusion: Filter by ProcessName vssadmin.exe or explorer.exe with command-line arguments related to delete shadows.
Scenario: Third-party tool managing system restore points
Description: A third-party endpoint management tool (e.g., Microsoft Intune, Symantec Endpoint Protection) disables System Restore as part of its configuration.
Filter/Exclusion: Check for ProcessName matching the third-party tool’s executable and filter by known configuration tasks.