curben
/
blog
mirror of https://gitlab.com/curben/blog
1
0
Fork 0
Code Issues Releases Wiki Activity

page(threat-hunting): Windows Recovery Environment disabled

This commit is contained in:
Ming Di Leom 2025-08-03 08:04:17 +00:00
parent 3511c59121
commit e284914748
No known key found for this signature in database
GPG Key ID: 32D3E28E96A695E8
2 changed files with 13 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
source/threat-hunting/index.md
View File

@ -120,6 +120,7 @@ updated: 2025-08-03
- [Volume Shadow Copy](volume-shadow-copy) - [Volume Shadow Copy](volume-shadow-copy)
- [Volume Shadow Delete](volume-shadow-delete) - [Volume Shadow Delete](volume-shadow-delete)
- [Windows Event Log Clearing Events](windows-event-log-clearing-events) - [Windows Event Log Clearing Events](windows-event-log-clearing-events)
- [Windows Recovery Environment disabled](windows-recovery-environment-disabled)
- [Windows System Event Log Clearing Events](windows-system-event-log-clearing-events) - [Windows System Event Log Clearing Events](windows-system-event-log-clearing-events)
- [Windows Firewall Modification](windows-firewall-modification) - [Windows Firewall Modification](windows-firewall-modification)
- [Windows JScript execution](windows-jscript-execution) - [Windows JScript execution](windows-jscript-execution)

12
source/threat-hunting/windows-recovery-environment-disabled.md Normal file
View File

@ -0,0 +1,12 @@
---
title: Windows Recovery Environment disabled
layout: page
date: 2025-08-03
---
References: [1](https://www.elastic.co/security-labs/maas-appeal-an-infostealer-rises-from-the-ashes#defeat-system-recovery)
SPL:
```spl
| tstats summariesonly=true allow_old_summaries=true count FROM datamodel=Endpoint.Processes WHERE index="windows" Processes.process_name="reagentc.exe" Processes.process="*/disable*" BY index, host, Processes.signature_id, Processes.signature, Processes.parent_process, Processes.process, Processes.user, _time span=1s
```