Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update T1113.yaml #2827

Merged
merged 3 commits into from
Jul 10, 2024
Merged

Update T1113.yaml #2827

merged 3 commits into from
Jul 10, 2024

Conversation

msdlearn
Copy link
Contributor

@msdlearn msdlearn commented Jul 4, 2024

Details:
Detects the enabling of the Windows Recall feature via registry manipulation. Windows Recall can be enabled by deleting the existing "DisableAIDataAnalysis" registry value. Adversaries may enable Windows Recall as part of post-exploitation discovery and collection activities. This rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary.

Testing:
Tested Successfully in atomic labs
@msdlearn
Update T1113.yaml
77cb0a3 
Detects the enabling of the Windows Recall feature via registry manipulation. Windows Recall can be enabled by deleting the existing "DisableAIDataAnalysis" registry value. Adversaries may enable Windows Recall as part of post-exploitation discovery and collection activities. This rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary.
@cyberbuff cyberbuff requested a review from clr2of8 July 4, 2024 18:52
clr2of8
clr2of8 requested changes Jul 5, 2024
View reviewed changes
Copy link
Collaborator

@clr2of8 clr2of8 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Did you mean to put this in T1112 instead? Doesn't seem to fit T1113 screen capture
@msdlearn
Copy link
Contributor Author

msdlearn commented Jul 10, 2024
edited
Loading

Did you mean to put this in T1112 instead? Doesn't seem to fit T1113 screen capture

But the activity take screenshots if registry was disabled, So only I tired to add in T1113. @clr2of8 Please confirm me once. I will be adding to the T1112 instead.
clr2of8
clr2of8 approved these changes Jul 10, 2024
View reviewed changes
Copy link
Collaborator

@clr2of8 clr2of8 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok, I didn't realize that the recall feature was taking screenshots. Thank you, this looks good as is. Thanks for the clarification.
@clr2of8 clr2of8 merged commit 39c0efe into redcanaryco:master Jul 10, 2024
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
windows
3 participants
@msdlearn @clr2of8 @cyberbuff