search

SigmaHQ / sigma

Main Sigma Rule Repository
Other
7.84k stars 2.12k forks source link

New: Detect Activation of Windows Recall #4869

Closed ssnkhan closed 3 weeks ago

ssnkhan commented 3 weeks ago

Summary of the Pull Request

This pull request features three new Sigma rules that detect the activation of Windows Recall, through a combination of registry changes, or through the use of reg.exe. While an attack scenario has yet to be observed or documented, the rules have been developed proactively to detect the activation of Windows Recall in an environment where the feature has been explicitly disabled. It is hypothesised that an attacker could enable Windows Recall as part of post-exploitation discovery, collection and exfiltration activities.

Changelog

new: Windows Recall Feature Enabled Via Reg.EXE new: Windows Recall Feature Enabled - DisableAIDataAnalysis Value Deleted new: Windows Recall Feature Enabled - Registry

Example Log Event

The sigma rules can be validated by running the following commands in an elevated command-prompt:

# Initial set-up
# This explicitly disables the WindowsAI Recall feature, and is expected to be the
# default state in a configured Enterprise environment
reg add "HKCU\Software\Policies\Microsoft\Windows\WindowsAI" /v "DisableAIDataAnalysis" /t REG_DWORD /d 1 /f
reg add "HKLM\Software\Policies\Microsoft\Windows\WindowsAI" /v "DisableAIDataAnalysis" /t REG_DWORD /d 1 /f

# Re-enable Windows Recall by resetting `DisableAIDataAnalysis` to `0`
reg add "HKCU\Software\Policies\Microsoft\Windows\WindowsAI" /v "DisableAIDataAnalysis" /t REG_DWORD /d 0 /f
reg add "HKLM\Software\Policies\Microsoft\Windows\WindowsAI" /v "DisableAIDataAnalysis" /t REG_DWORD /d 0 /f

# Re-enable Windows Recall by deleting `DisableAIDataAnalysis`
reg delete "HKCU\Software\Policies\Microsoft\Windows\WindowsAI" /v "DisableAIDataAnalysis" /f
reg delete "HKLM\Software\Policies\Microsoft\Windows\WindowsAI" /v "DisableAIDataAnalysis" /f

Sysmon Configuration

Olaf Hartong's default Sysmon configuration does not track the Software\Policies\Microsoft\Windows\WindowsAI key. As a result, the following must be added manually for the registry-based sigma rules to be effective:

<TargetObject name="technique_id=T1113,technique_name=Screen Capture" condition="contains">HKCU\Software\Policies\Microsoft\Windows\WindowsAI\DisableAIDataAnalysis</TargetObject>
<TargetObject name="technique_id=T1113,technique_name=Screen Capture" condition="contains">HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsAI\DisableAIDataAnalysis</TargetObject>

Sigma Test (Chainsaw Output)

Sigma_Windows_Recall_Activation_Chainsaw

References

https://learn.microsoft.com/en-us/windows/client-management/manage-recall https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsai#disableaidataanalysis

ssnkhan commented 3 weeks ago

This is only my second PR to the Sigma project, so apologies for any errors or omissions :)