attack.t1113

Windows Recall Feature Enabled - DisableAIDataAnalysis Value Deleted

Apr 16, 2025 · attack.collection attack.t1113 ·

Detects the enabling of the Windows Recall feature via registry manipulation. Windows Recall can be enabled by deleting the existing "DisableAIDataAnalysis" registry value. Adversaries may enable Windows Recall as part of post-exploitation discovery and collection activities. This rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary.

Windows Recall Feature Enabled - Registry

Apr 16, 2025 · attack.collection attack.t1113 ·

Share on:

Detects the enabling of the Windows Recall feature via registry manipulation. Windows Recall can be enabled by setting the value of "DisableAIDataAnalysis" to "0". Adversaries may enable Windows Recall as part of post-exploitation discovery and collection activities. This rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary.

Windows Recall Feature Enabled Via Reg.EXE

Apr 16, 2025 · attack.collection attack.t1113 ·

Share on:

Detects the enabling of the Windows Recall feature via registry manipulation. Windows Recall can be enabled by deleting the existing "DisableAIDataAnalysis" value, or setting it to 0. Adversaries may enable Windows Recall as part of post-exploitation discovery and collection activities. This rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary.

Periodic Backup For System Registry Hives Enabled

Aug 12, 2024 · attack.collection attack.t1113 ·

Share on:

Detects the enabling of the "EnablePeriodicBackup" registry value. Once enabled, The OS will backup System registry hives on restarts to the "C:\Windows\System32\config\RegBack" folder. Windows creates a "RegIdleBackup" task to manage subsequent backups. Registry backup was a default behavior on Windows and was disabled as of "Windows 10, version 1803".

Screen Capture - macOS

Aug 12, 2024 · attack.collection attack.t1113 ·

Share on:

Detects attempts to use screencapture to collect macOS screenshots

Screen Capture Activity Via Psr.EXE

Aug 12, 2024 · attack.collection attack.t1113 ·

Share on:

Detects execution of Windows Problem Steps Recorder (psr.exe), a utility used to record the user screen and clicks.

Screen Capture with Import Tool

Aug 12, 2024 · attack.collection attack.t1113 ·

Share on:

Detects adversary creating screen capture of a desktop with Import Tool. Highly recommended using rule on servers, due to high usage of screenshot utilities on user workstations. ImageMagick must be installed.

Screen Capture with Xwd

Aug 12, 2024 · attack.collection attack.t1113 ·

Share on:

Detects adversary creating screen capture of a full with xwd. Highly recommended using rule on servers, due high usage of screenshot utilities on user workstations

Windows Screen Capture with CopyFromScreen

Aug 12, 2024 · attack.collection attack.t1113 ·

Share on:

Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations