diff --git a/source/threat-hunting/index.md b/source/threat-hunting/index.md
index 9ef5a06..3578eac 100644
--- a/source/threat-hunting/index.md
+++ b/source/threat-hunting/index.md
@@ -120,6 +120,7 @@ updated: 2025-08-03
 - [Volume Shadow Copy](volume-shadow-copy)
 - [Volume Shadow Delete](volume-shadow-delete)
 - [Windows Event Log Clearing Events](windows-event-log-clearing-events)
+- [Windows Recovery Environment disabled](windows-recovery-environment-disabled)
 - [Windows System Event Log Clearing Events](windows-system-event-log-clearing-events)
 - [Windows Firewall Modification](windows-firewall-modification)
 - [Windows JScript execution](windows-jscript-execution)
diff --git a/source/threat-hunting/windows-recovery-environment-disabled.md b/source/threat-hunting/windows-recovery-environment-disabled.md
new file mode 100644
index 0000000..501c17f
--- /dev/null
+++ b/source/threat-hunting/windows-recovery-environment-disabled.md
@@ -0,0 +1,12 @@
+---
+title: Windows Recovery Environment disabled
+layout: page
+date: 2025-08-03
+---
+
+References: [1](https://www.elastic.co/security-labs/maas-appeal-an-infostealer-rises-from-the-ashes#defeat-system-recovery)
+SPL:
+
+```spl
+| tstats summariesonly=true allow_old_summaries=true count FROM datamodel=Endpoint.Processes WHERE index="windows" Processes.process_name="reagentc.exe" Processes.process="*/disable*" BY index, host, Processes.signature_id, Processes.signature, Processes.parent_process, Processes.process, Processes.user, _time span=1s
+```