- Home
- Play books
- Investigation of repeated Windows backup failures
Investigation of repeated Windows backup failures
In this page
Playbook Description
Investigates repeated Windows backup failures by checking VSS writer errors, driver issues, volume problems, physical disk health, and backup schedules. It also scans for malware, terminates malicious processes, and notifies security team.
MITRE ATT&CK mapping
| Tactics | Techniques | Sub-techniques |
|---|---|---|
| Impact(TA0040) | Inhibit System Recovery(T1490) | - |
MITRE D3FEND mapping
| Tactics | Techniques | Sub-techniques |
|---|---|---|
| Detect(D3-Detect) | Platform Monitoring(D3-PM) | Scheduled Job Analysis(D3-SJA) |
| Detect(D3-Detect) | Platform Monitoring(D3-PM) | System File Analysis(D3-SFA) |
Playbook input type
Alert
Prerequisites
- PowerShell 3.0+
- Script Execution Policy
- PowerShell Module - storage module
- At least one physical disk.
- Microsoft Defender should be enabled.
- Windows Credentials - Go to Settings -> Devices -> Windows Devices. Provide/update the credentials of the respective Windows device with admin privileges.
Dependencies
Utility functions:
- utility_convertTimeToUTC
- utility_getRequiredTime
- utility_sendMail
Scripts
| Script Name | Description | Arguments |
|---|---|---|
| CheckPhysicalDiskHealth.ps1 | Retrieves physical disk health information (name, operational status, health status, size) using Get-PhysicalDisk, with fallbacks to Get-Disk and WMI. | - |
| GetBackupScheduledJobs.ps1 | Retrieves all Windows scheduled tasks whose path matches a backup-related pattern, including their configuration, trigger, action, and run history details. | - |
| GetVSSWriterErrors.ps1 | Runs vssadmin list writers and filters for VSS writers reporting errors, returning the writer details for any failed entries. | - |
Sub playbooks
- Windows Defender quick scan
Execution workflow
Investigation:
- Retrieves the VSS writers with errors.
- Fetches the driver issues.
- Retrieves the volume issues.
- Retrieves the physical disk health.
- Retrieves the Windows backup schedules.
- Executes the "Windows Defender quick scan" sub-playbook.
- Validates the playbook execution.
- Builds the notification email with the analysis results.
- Sends a notification email to the relevant stakeholders.
Post execution procedure
- Review the investigation findings on the affected host.
- Address any VSS writer errors or driver issues identified during the investigation.
- Check and resolve any volume or physical disk health problems.
- Verify that backup schedules are correctly configured and running as expected.
- If malicious activity was detected during the system health scan, escalate for further investigation.
