This pull request features three new Sigma rules that detect the activation of Windows Recall, through a combination of registry changes, or through the use of reg.exe. While an attack scenario has yet to be observed or documented, the rules have been developed proactively to detect the activation of Windows Recall in an environment where the feature has been explicitly disabled. It is hypothesised that an attacker could enable Windows Recall as part of post-exploitation discovery, collection and exfiltration activities.
Changelog
new: Windows Recall Feature Enabled Via Reg.EXE
new: Windows Recall Feature Enabled - DisableAIDataAnalysis Value Deleted
new: Windows Recall Feature Enabled - Registry
Example Log Event
The sigma rules can be validated by running the following commands in an elevated command-prompt:
# Initial set-up
# This explicitly disables the WindowsAI Recall feature, and is expected to be the
# default state in a configured Enterprise environment
reg add "HKCU\Software\Policies\Microsoft\Windows\WindowsAI" /v "DisableAIDataAnalysis" /t REG_DWORD /d 1 /f
reg add "HKLM\Software\Policies\Microsoft\Windows\WindowsAI" /v "DisableAIDataAnalysis" /t REG_DWORD /d 1 /f
# Re-enable Windows Recall by resetting `DisableAIDataAnalysis` to `0`
reg add "HKCU\Software\Policies\Microsoft\Windows\WindowsAI" /v "DisableAIDataAnalysis" /t REG_DWORD /d 0 /f
reg add "HKLM\Software\Policies\Microsoft\Windows\WindowsAI" /v "DisableAIDataAnalysis" /t REG_DWORD /d 0 /f
# Re-enable Windows Recall by deleting `DisableAIDataAnalysis`
reg delete "HKCU\Software\Policies\Microsoft\Windows\WindowsAI" /v "DisableAIDataAnalysis" /f
reg delete "HKLM\Software\Policies\Microsoft\Windows\WindowsAI" /v "DisableAIDataAnalysis" /f
Sysmon Configuration
Olaf Hartong's default Sysmon configuration does not track the Software\Policies\Microsoft\Windows\WindowsAI key. As a result, the following must be added manually for the registry-based sigma rules to be effective:
Summary of the Pull Request
This pull request features three new Sigma rules that detect the activation of Windows Recall, through a combination of registry changes, or through the use of
reg.exe
. While an attack scenario has yet to be observed or documented, the rules have been developed proactively to detect the activation of Windows Recall in an environment where the feature has been explicitly disabled. It is hypothesised that an attacker could enable Windows Recall as part of post-exploitation discovery, collection and exfiltration activities.Changelog
new: Windows Recall Feature Enabled Via Reg.EXE new: Windows Recall Feature Enabled - DisableAIDataAnalysis Value Deleted new: Windows Recall Feature Enabled - Registry
Example Log Event
The sigma rules can be validated by running the following commands in an elevated command-prompt:
Sysmon Configuration
Olaf Hartong's default Sysmon configuration does not track the
Software\Policies\Microsoft\Windows\WindowsAI
key. As a result, the following must be added manually for the registry-based sigma rules to be effective:Sigma Test (Chainsaw Output)
References
https://learn.microsoft.com/en-us/windows/client-management/manage-recall https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsai#disableaidataanalysis