Windows Recall Feature Enabled Via Reg.EXE

Severity: medium
Author: Sajid Nawaz Khan
Source: upstream

Detects the enabling of the Windows Recall feature via registry manipulation. Windows Recall can be enabled by deleting the existing "DisableAIDataAnalysis" value, or setting it to 0. Adversaries may enable Windows Recall as part of post-exploitation discovery and collection activities. This rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary.

MITRE ATT&CK coverage

Tactic	Techniques
Collection	`T1113` Screen Capture

Event coverage

Provider	Event ID	Title
Sysmon	1	Process creation

Stages and Predicates

Stage 1: `selection_img`

or:
Image|endswith: '\reg.exe'
OriginalFileName: reg.exe

Stage 2: `selection_value`

CommandLine|contains: DisableAIDataAnalysis
CommandLine|contains: 'Microsoft\Windows\WindowsAI'

Stage 3: `1 of selection_action_add`

or:
CommandLine|contains: 0
CommandLine|contains: add

Stage 4: `1 of selection_action_delete`

CommandLine|contains: delete

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`CommandLine`	match	`0` corpus 4 (sigma 4) `DisableAIDataAnalysis` `Microsoft\Windows\WindowsAI` `add` corpus 16 (sigma 16) `delete` corpus 7 (sigma 7)
`Image`	ends_with	`\reg.exe` corpus 46 (sigma 46)
`OriginalFileName`	eq	`reg.exe` corpus 29 (sigma 29)

Windows Recall Feature Enabled Via Reg.EXE

MITRE ATT&CK coverage

Event coverage

Stages and Predicates

Stage 1: selection_img

Stage 2: selection_value

Stage 3: 1 of selection_action_add

Stage 4: 1 of selection_action_delete

Indicators

Stage 1: `selection_img`

Stage 2: `selection_value`

Stage 3: `1 of selection_action_add`

Stage 4: `1 of selection_action_delete`