Windows Recall Feature Enabled - Registry

Detects the enabling of the Windows Recall feature via registry manipulation. Windows Recall can be enabled by setting the value of "DisableAIDataAnalysis" to "0". Adversaries may enable Windows Recall as part of post-exploitation discovery and collection activities. This rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary.

Sigma rule (View on GitHub)

 1title: Windows Recall Feature Enabled - Registry
 2id: 75180c5f-4ea1-461a-a4f6-6e4700c065d4
 3related:
 4    - id: 5dfc1465-8f65-4fde-8eb5-6194380c6a62
 5      type: similar
 6    - id: 817f252c-5143-4dae-b418-48c3e9f63728
 7      type: similar
 8status: experimental
 9description: |
10    Detects the enabling of the Windows Recall feature via registry manipulation. Windows Recall can be enabled by setting the value of "DisableAIDataAnalysis" to "0".
11    Adversaries may enable Windows Recall as part of post-exploitation discovery and collection activities.
12    This rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary.    
13references:
14    - https://learn.microsoft.com/en-us/windows/client-management/manage-recall
15    - https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsai#disableaidataanalysis
16author: Sajid Nawaz Khan
17date: 2024-06-02
18tags:
19    - attack.collection
20    - attack.t1113
21logsource:
22    category: registry_set
23    product: windows
24detection:
25    selection:
26        # HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\WindowsAI\DisableAIDataAnalysis
27        # HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsAI\DisableAIDataAnalysis
28        TargetObject|endswith: '\Software\Policies\Microsoft\Windows\WindowsAI\DisableAIDataAnalysis'
29        Details: 'DWORD (0x00000000)'
30    condition: selection
31falsepositives:
32    - Legitimate use/activation of Windows Recall
33level: medium

References

Related rules

to-top