Windows Recall Feature Enabled Via Reg.EXE

 1title: Windows Recall Feature Enabled Via Reg.EXE
 2id: 817f252c-5143-4dae-b418-48c3e9f63728
 3related:
 4    - id: 5dfc1465-8f65-4fde-8eb5-6194380c6a62
 5      type: similar
 6    - id: 75180c5f-4ea1-461a-a4f6-6e4700c065d4
 7      type: similar
 8status: experimental
 9description: |
10    Detects the enabling of the Windows Recall feature via registry manipulation.
11    Windows Recall can be enabled by deleting the existing "DisableAIDataAnalysis" value, or setting it to 0.
12    Adversaries may enable Windows Recall as part of post-exploitation discovery and collection activities.
13    This rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary.    
14references:
15    - https://learn.microsoft.com/en-us/windows/client-management/manage-recall
16    - https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsai#disableaidataanalysis
17author: Sajid Nawaz Khan
18date: 2024/06/02
19tags:
20    - attack.collection
21    - attack.t1113
22logsource:
23    category: process_creation
24    product: windows
25detection:
26    selection_img:
27        - Image|endswith: '\reg.exe'
28        - OriginalFileName: 'reg.exe'
29    selection_value:
30        # HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\WindowsAI\DisableAIDataAnalysis
31        # HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsAI\DisableAIDataAnalysis
32        CommandLine|contains|all:
33            - 'Microsoft\Windows\WindowsAI'
34            - 'DisableAIDataAnalysis'
35    selection_action_add:
36        CommandLine|contains:
37            - 'add'
38            - '0'
39    selection_action_delete:
40        CommandLine|contains: 'delete'
41    condition: selection_img and selection_value and 1 of selection_action_*
42falsepositives:
43    - Legitimate use/activation of Windows Recall
44level: medium