Skip to content
Threat Feed
high advisory

Suspicious Process Accessing Windows Recall Directory

This detection identifies processes accessing the Windows Recall directory, a feature that takes screenshots every few seconds, and due to initial security shortcomings, could be exploited by malware to steal sensitive data.

Windows Recall is a new feature released by Microsoft that periodically captures screenshots to provide context for AI features. The initial release had significant security vulnerabilities, making it relatively easy to steal sensitive data contained within the captured screenshots. This vulnerability makes the Recall directory a prime target for information-stealing malware. Microsoft has acknowledged these security concerns and plans to implement security improvements in future versions. This detection aims to identify unauthorized access to the Windows Recall directory by suspicious processes before those improvements are implemented.

Attack Chain

  1. Malware gains initial access to the system (e.g., through phishing or exploit).
  2. The malware executes and attempts to locate the Windows Recall directory (typically under *CoreAIPlatform.00\\UKP*).
  3. The malware uses Windows API calls or other methods to request access to the Recall directory.
  4. Windows Event Log Security generates an event (EventID 4663) indicating object access.
  5. The malware reads the screenshot data from the Recall directory.
  6. The malware exfiltrates the stolen screenshot data to a remote server.
  7. The attacker analyzes the exfiltrated data for sensitive information (credentials, personal data, etc.).

Impact

Successful exploitation allows attackers to steal any information displayed on the user’s screen, including credentials, financial data, personal communications, and other sensitive information. This can lead to identity theft, financial fraud, and further compromise of the user’s system and network. The number of potential victims is substantial, given the widespread use of Windows.

Recommendation

  • Deploy the Sigma rule Suspicious Access to Windows Recall Directory to your SIEM to detect unauthorized access to the Recall directory via Windows Event Log ID 4663.
  • Investigate any alerts generated by the Suspicious Access to Windows Recall Directory rule, paying close attention to the ProcessName and ObjectName fields.
  • Monitor endpoints for processes attempting to access the Windows Recall directory using AccessList="%%4416" as documented in the event ID 4663.
  • Implement application control policies to restrict the execution of unauthorized or untrusted software that may attempt to access the Windows Recall directory.

Detection coverage 2

Suspicious Access to Windows Recall Directory

high

Detects processes accessing the Windows Recall directory, potentially indicating malicious activity.

sigma tactics: credential_access techniques: T1119 sources: process_creation, windows

Windows Event Log Security 4663 Accessing Recall Directory

high

Detects specific Windows Event ID 4663 events indicating access to the Windows Recall directory by excluding allowed processes.

sigma tactics: credential_access, execution techniques: T1059, T1119 sources: file_event, windows

Detection queries are kept inside the platform. Get full rules →