System Restore Registry Modification via CommandLine

 1title: System Restore Registry Modification via CommandLine
 2id: 7c06ab9b-b1d2-4ba9-b06e-09491ded20d9
 3related:
 4    - id: 5de03871-5d46-4539-a82d-3aa992a69a83
 5      type: similar
 6status: experimental
 7description: |
 8        Detects system restore registry modification via command line, which can be used by adversaries to disable system restore on the computer.
 9references:
10    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-9---disable-system-restore-through-registry
11author: Swachchhanda Shrawan Poudel (Nextron Systems)
12date: 2026-03-11
13tags:
14    - attack.impact
15    - attack.t1490
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    selection_img:
21        - Image|endswith:
22              - '\powershell.exe'
23              - '\pwsh.exe'
24              - '\reg.exe'
25        - OriginalFileName:
26              - 'powershell.exe'
27              - 'pwsh.dll'
28              - 'reg.exe'
29    selection_cli_action:
30        CommandLine|contains:
31            - ' add '
32            - 'Set-ItemProperty'
33            - 'New-ItemProperty'
34    selection_cli_reg_root:
35        CommandLine|contains:
36            - '\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore'
37            - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore'
38    selection_cli_reg_key:
39        CommandLine|contains:
40            - 'DisableConfig'
41            - 'DisableSR'
42    condition: all of selection_*
43falsepositives:
44    - Unknown
45level: high
46regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_reg_system_restore_modification/info.yml
47simulation:
48    - type: atomic-red-team
49      name: Disable System Restore Through Registry
50      technique: T1490
51      atomic_guid: 66e647d1-8741-4e43-b7c1-334760c2047f