Windows Recovery Environment Disabled Via Reagentc
Detects attempts to disable windows recovery environment using Reagentc. ReAgentc.exe is a command-line tool in Windows used to manage the Windows Recovery Environment (WinRE). It allows users to enable, disable, and configure WinRE, which is used for troubleshooting and repairing common boot issues.
Sigma rule (View on GitHub)
1title: Windows Recovery Environment Disabled Via Reagentc
2id: db1c21e4-cd66-4b4e-85ca-590f0780529c
3status: experimental
4description: |
5 Detects attempts to disable windows recovery environment using Reagentc.
6 ReAgentc.exe is a command-line tool in Windows used to manage the Windows Recovery Environment (WinRE).
7 It allows users to enable, disable, and configure WinRE, which is used for troubleshooting and repairing common boot issues.
8references:
9 - https://www.elastic.co/security-labs/maas-appeal-an-infostealer-rises-from-the-ashes
10 - https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/reagentc-command-line-options?view=windows-11
11author: Daniel Koifman (KoifSec), Michael Vilshin
12date: 2025-07-31
13tags:
14 - attack.impact
15 - attack.t1490
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection_img: # Example command simulated: reagentc /disable
21 - Image|endswith: '\reagentc.exe'
22 - OriginalFileName: 'reagentc.exe'
23 selection_cli:
24 CommandLine|contains|windash: '/disable'
25 condition: all of selection_*
26falsepositives:
27 - Legitimate administrative activity
28level: medium
References
-
NOVABLIGHT is a NodeJS infostealer developed and sold as a MaaS offering; it is used primarily to steal credentials and compromise cryptowallets.
Read More -
Related rules
- Suspicious Volume Shadow Copy VSS_PS.dll Load
- Cisco Modify Configuration
- Deletion of Volume Shadow Copies via WMI with PowerShell - PS Script
- File Recovery From Backup Via Wbadmin.EXE
- New File Exclusion Added To Time Machine Via Tmutil - MacOS