| ID | Technique | Tactic |
|---|---|---|
| T1119 | Automated Collection | Collection |
| T1059 | Command and Scripting Interpreter | Execution |
Detection: Windows Process Accessing Windows Recall Directory
Description
This detection triggers on a process accessing the Windows Recall directory. Recall is a new feature Microsoft release that takes screenshots every 5 or so seconds to provide context to it's AI features. The initial release of Recall was lacking in the security department due to it being trivial to view and steal the data. Due to this lack of security it's likely that info stealer malware will take advantage of this new feature. Microsoft has recognized the security issues with Recall and is planning on making improvements. Once those improvements are released we will re-assess this detection to make sure it is still relevant.
Search
1`wineventlog_security`
2AccessList="%%4416"
3EventID="4663"
4ObjectName="*CoreAIPlatform.00\\UKP*"
5NOT (
6 ProcessName IN (
7 "*aixhost.exe",
8 "*aihost.exe"
9 )
10)
11
12| fillnull
13
14| stats count min(_time) as firstTime
15 max(_time) as lastTime
16 by Computer EventID AccessList ObjectName ProcessName
17
18
19| rename Computer as dest
20
21| `security_content_ctime(firstTime)`
22
23| `security_content_ctime(lastTime)`
24
25| `windows_process_accessing_windows_recall_directory_filter`
Data Source
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| Windows Event Log Security 4663 |  Windows |
'XmlWinEventLog' |
'XmlWinEventLog:Security' |
Macros Used
| Name | Value |
|---|---|
| security_content_ctime | convert timeformat="%Y-%m-%dT%H:%M:%S" ctime($field$) |
| windows_process_accessing_windows_recall_directory_filter | search * |
windows_process_accessing_windows_recall_directory_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
MITRE ATT&CK
Kill Chain Phases
NIST
CIS
Threat Actors
Exploitation
Installation
DE.AE
CIS 10
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
| Setting | Value |
|---|---|
| Disabled | true |
| Cron Schedule | 0 * * * * |
| Earliest Time | -70m@m |
| Latest Time | -10m@m |
| Schedule Window | auto |
| Creates Risk Event | True |
This configuration file applies to all detections of type anomaly. These detections will use Risk Based Alerting.
Implementation
The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the Processes node of the Endpoint data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.
Known False Positives
Legitimate system processes and trusted applications may access the Windows Recall directory for AI-related features. Review and allow access for approved software as needed.
Associated Analytic Story
Risk Based Analytics (RBA)
Risk Message:
Potential Process Accessing Windows Recall Directory activity observed on $dest$.
| Risk Object | Risk Object Type | Risk Score | Threat Objects |
|---|---|---|---|
| dest | system | 20 | No Threat Objects |
References
Detection Testing
| Test Type | Status | Dataset | Source | Sourcetype |
|---|---|---|---|---|
| Validation | ✅ Passing | N/A | N/A | N/A |
| Unit | ✅ Passing | Dataset | XmlWinEventLog:Security |
XmlWinEventLog |
| Integration | ✅ Passing | Dataset | XmlWinEventLog:Security |
XmlWinEventLog |
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 1