Windows Recall Feature Enabled - DisableAIDataAnalysis Value Deleted
Detects the enabling of the Windows Recall feature via registry manipulation. Windows Recall can be enabled by deleting the existing "DisableAIDataAnalysis" registry value. Adversaries may enable Windows Recall as part of post-exploitation discovery and collection activities. This rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary.
Sigma rule (View on GitHub)
1title: Windows Recall Feature Enabled - DisableAIDataAnalysis Value Deleted
2id: 5dfc1465-8f65-4fde-8eb5-6194380c6a62
3related:
4 - id: 75180c5f-4ea1-461a-a4f6-6e4700c065d4
5 type: similar
6 - id: 817f252c-5143-4dae-b418-48c3e9f63728
7 type: similar
8status: experimental
9description: |
10 Detects the enabling of the Windows Recall feature via registry manipulation. Windows Recall can be enabled by deleting the existing "DisableAIDataAnalysis" registry value.
11 Adversaries may enable Windows Recall as part of post-exploitation discovery and collection activities.
12 This rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary.
13references:
14 - https://learn.microsoft.com/en-us/windows/client-management/manage-recall
15 - https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsai#disableaidataanalysis
16author: Sajid Nawaz Khan
17date: 2024/06/02
18tags:
19 - attack.collection
20 - attack.t1113
21logsource:
22 category: registry_delete
23 product: windows
24detection:
25 selection:
26 # HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\WindowsAI\DisableAIDataAnalysis
27 # HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsAI\DisableAIDataAnalysis
28 EventType: DeleteValue
29 TargetObject|endswith: '\Microsoft\Windows\WindowsAI\DisableAIDataAnalysis'
30 condition: selection
31falsepositives:
32 - Legitimate use/activation of Windows Recall
33level: medium
References
-
Learn how to manage Recall for commercial environments using MDM and group policy. Learn about Recall features.
Read More -
Related rules
- Windows Recall Feature Enabled - Registry
- Windows Recall Feature Enabled Via Reg.EXE
- Screen Capture Activity Via Psr.EXE
- Windows Screen Capture with CopyFromScreen
- Screen Capture with Import Tool