Windows Recall Feature Enabled - DisableAIDataAnalysis Value Deleted
Detects the enabling of the Windows Recall feature via registry manipulation. Windows Recall can be enabled by deleting the existing "DisableAIDataAnalysis" registry value. Adversaries may enable Windows Recall as part of post-exploitation discovery and collection activities. This rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary.
Sigma rule (View on GitHub)
1title: Windows Recall Feature Enabled - DisableAIDataAnalysis Value Deleted
2id: 5dfc1465-8f65-4fde-8eb5-6194380c6a62
3related:
4 - id: 75180c5f-4ea1-461a-a4f6-6e4700c065d4
5 type: similar
6 - id: 817f252c-5143-4dae-b418-48c3e9f63728
7 type: similar
8status: experimental
9description: |
10 Detects the enabling of the Windows Recall feature via registry manipulation. Windows Recall can be enabled by deleting the existing "DisableAIDataAnalysis" registry value.
11 Adversaries may enable Windows Recall as part of post-exploitation discovery and collection activities.
12 This rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary.
13references:
14 - https://learn.microsoft.com/en-us/windows/client-management/manage-recall
15 - https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsai#disableaidataanalysis
16author: Sajid Nawaz Khan
17date: 2024-06-02
18tags:
19 - attack.collection
20 - attack.t1113
21logsource:
22 category: registry_delete
23 product: windows
24detection:
25 selection:
26 # HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\WindowsAI\DisableAIDataAnalysis
27 # HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsAI\DisableAIDataAnalysis
28 EventType: DeleteValue
29 TargetObject|endswith: '\Microsoft\Windows\WindowsAI\DisableAIDataAnalysis'
30 condition: selection
31falsepositives:
32 - Legitimate use/activation of Windows Recall
33level: medium
References
-
Learn how to manage Recall for commercial environments using MDM and group policy. Learn about Recall features.
Read More -
Related rules
- Periodic Backup For System Registry Hives Enabled
- Screen Capture - macOS
- Screen Capture Activity Via Psr.EXE
- Screen Capture with Import Tool
- Screen Capture with Xwd