LoFP / legitimate system processes and trusted applications may access the windows recall directory for ai-related features. review and allow access for approved software as needed.

Techniques

• T1059
• T1119

Sample rules

Windows Process Accessing Windows Recall Directory

• source: splunk
• technicques:
  • T1119
  • T1059

Description

This detection triggers on a process accessing the Windows Recall directory. Recall is a new feature Microsoft release that takes screenshots every 5 or so seconds to provide context to it’s AI features. The initial release of Recall was lacking in the security department due to it being trivial to view and steal the data. Due to this lack of security it’s likely that info stealer malware will take advantage of this new feature. Microsoft has recognized the security issues with Recall and is planning on making improvements. Once those improvements are released we will re-assess this detection to make sure it is still relevant.

Detection logic

`wineventlog_security`
AccessList="%%4416"
EventID="4663"
ObjectName="*CoreAIPlatform.00\\UKP*"
NOT (
    ProcessName IN (
        "*aixhost.exe",
        "*aihost.exe"
    )
)

| fillnull

| stats count min(_time) as firstTime
              max(_time) as lastTime
  by Computer EventID AccessList ObjectName ProcessName


| rename Computer as dest

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `windows_process_accessing_windows_recall_directory_filter`