{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/windows-recall/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows Recall"],"_cs_severities":["high"],"_cs_tags":["credential-access","execution","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eWindows Recall is a new feature released by Microsoft that periodically captures screenshots to provide context for AI features. The initial release had significant security vulnerabilities, making it relatively easy to steal sensitive data contained within the captured screenshots. This vulnerability makes the Recall directory a prime target for information-stealing malware. Microsoft has acknowledged these security concerns and plans to implement security improvements in future versions. This detection aims to identify unauthorized access to the Windows Recall directory by suspicious processes before those improvements are implemented.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eMalware gains initial access to the system (e.g., through phishing or exploit).\u003c/li\u003e\n\u003cli\u003eThe malware executes and attempts to locate the Windows Recall directory (typically under \u003ccode\u003e*CoreAIPlatform.00\\\\UKP*\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe malware uses Windows API calls or other methods to request access to the Recall directory.\u003c/li\u003e\n\u003cli\u003eWindows Event Log Security generates an event (EventID 4663) indicating object access.\u003c/li\u003e\n\u003cli\u003eThe malware reads the screenshot data from the Recall directory.\u003c/li\u003e\n\u003cli\u003eThe malware exfiltrates the stolen screenshot data to a remote server.\u003c/li\u003e\n\u003cli\u003eThe attacker analyzes the exfiltrated data for sensitive information (credentials, personal data, etc.).\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to steal any information displayed on the user\u0026rsquo;s screen, including credentials, financial data, personal communications, and other sensitive information. This can lead to identity theft, financial fraud, and further compromise of the user\u0026rsquo;s system and network. The number of potential victims is substantial, given the widespread use of Windows.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eSuspicious Access to Windows Recall Directory\u003c/code\u003e to your SIEM to detect unauthorized access to the Recall directory via Windows Event Log ID 4663.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the \u003ccode\u003eSuspicious Access to Windows Recall Directory\u003c/code\u003e rule, paying close attention to the \u003ccode\u003eProcessName\u003c/code\u003e and \u003ccode\u003eObjectName\u003c/code\u003e fields.\u003c/li\u003e\n\u003cli\u003eMonitor endpoints for processes attempting to access the Windows Recall directory using \u003ccode\u003eAccessList=\u0026quot;%%4416\u0026quot;\u003c/code\u003e as documented in the event ID 4663.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of unauthorized or untrusted software that may attempt to access the Windows Recall directory.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-07-03T14:38:00Z","date_published":"2024-07-03T14:38:00Z","id":"/briefs/2024-07-windows-recall-access/","summary":"This detection identifies processes accessing the Windows Recall directory, a feature that takes screenshots every few seconds, and due to initial security shortcomings, could be exploited by malware to steal sensitive data.","title":"Suspicious Process Accessing Windows Recall Directory","url":"https://feed.craftedsignal.io/briefs/2024-07-windows-recall-access/"}],"language":"en","title":"CraftedSignal Threat Feed — Windows Recall","version":"https://jsonfeed.org/version/1.1"}