Windows recall active check windows (#238)

vastlimits · Jun 6, 2024 · 1c226d5 · 1c226d5
1 parent c371537
commit 1c226d5
Show file tree

Hide file tree

Showing 3 changed files with 167 additions and 1 deletion.
diff --git a/config-dev/Security inventory/Windows/WindowsConfiguration/WindowsConfiguration-Machine.ps1 b/config-dev/Security inventory/Windows/WindowsConfiguration/WindowsConfiguration-Machine.ps1
@@ -356,7 +356,75 @@ function Get-vlWindowsPersistanceCheck {
    }
 }
 
+function Get-vlCheckWindowsRecallStatusLM {
+   <#
+    .SYNOPSIS
+        Checks if Windows Recall is enabled on the system.
+    .DESCRIPTION
+        Windows Recall is a feature for Copilot+ PCs that creates a timeline of user activity by taking snapshots of the desktop and processing them using AI.
+
+        https://support.microsoft.com/en-us/windows/retrace-your-steps-with-recall-aa03f8a0-a78b-4b3e-b0a1-2eb8ac48701c
+        https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsai#disableaidataanalysis
+    .OUTPUTS
+         PSCustomObject
+         enabled: true if enabled, false if not
+    .EXAMPLE
+         Get-vlCheckWindowsRecallStatusLM
+    #>
+
+   try {
+      <#
+         0  Enable saving Snapshots for Windows. (Default)
+         1	Disable saving Snapshots for Windows
+      #>
+      $riskScore = 50
+
+      if (Test-Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsAI") {
+         $value = Get-vlRegValue -Hive "HKLM" -Path "SOFTWARE\Policies\Microsoft\Windows\WindowsAI" -Value "DisableAIDataAnalysis"
+
+         if ($null -eq $value -or $value -eq 0) {
+            $result = [PSCustomObject]@{
+               Enabled = $true
+            }
+
+            return New-vlResultObject -result $result -score 0 -riskScore $riskScore
+         }
+         else {
+            $result = [PSCustomObject]@{
+               Enabled = $false
+            }
+            return New-vlResultObject -result $result -score 10 -riskScore $riskScore
+         }
+      }
+
+      if (Test-Path "HKLM:\SOFTWARE\Microsoft\Windows\WindowsAI") {
+         $value = Get-vlRegValue -Hive "HKLM" -Path "SOFTWARE\Microsoft\Windows\WindowsAI" -Value "DisableAIDataAnalysis"
+
+         if ($null -eq $value -or $value -eq 0) {
+            $result = [PSCustomObject]@{
+               Enabled = $true
+            }
+
+            return New-vlResultObject -result $result -score 0 -riskScore $riskScore
+         }
+         else {
+            $result = [PSCustomObject]@{
+               Enabled = $false
+            }
+            return New-vlResultObject -result $result -score 10 -riskScore $riskScore
+         }
+      }
+
+      $result = [PSCustomObject]@{
+         Enabled = $false
+      }
 
+      return New-vlResultObject -result $result -score 10 -riskScore $riskScore
+   }
+   catch {
+      return New-vlErrorObject -context $_
+   }
+}
 
 function Get-WindowsConfigurationCheck {
    #set $params to $global:args or if empty default "all"
@@ -405,6 +473,20 @@ function Get-WindowsConfigurationCheck {
       }
    }
 
+   if ($params.Contains("all") -or $params.Contains("WCLMRecallStatus")) {
+      $checkWindowsRecallStatus = Get-vlCheckWindowsRecallStatusLM
+      $Output += [PSCustomObject]@{
+         Name         = "WCLMRecallStatus"
+         DisplayName  = "WindowsConfiguration Recall status - Machine"
+         Description  = "[Experimental] This test determines the status of Windows Recall, a feature introduced with Windows 11 24H2 that creates a timeline of user activity by capturing desktop screenshots. Attackers could potentially exploit the collected data by extracting sensitive information."
+         Score        = $checkWindowsRecallStatus.Score
+         ResultData   = $checkWindowsRecallStatus.Result
+         RiskScore    = $checkWindowsRecallStatus.RiskScore
+         ErrorCode    = $checkWindowsRecallStatus.ErrorCode
+         ErrorMessage = $checkWindowsRecallStatus.ErrorMessage
+      }
+   }
+
    <#
     #TODO: Add a better logic to check for "corrupt" or "repaired" in CBS.log
     if ($params.Contains("all") -or $params.Contains("persistancecheck")) {

diff --git a/config-dev/Security inventory/Windows/WindowsConfiguration/WindowsConfiguration-User.ps1 b/config-dev/Security inventory/Windows/WindowsConfiguration/WindowsConfiguration-User.ps1
@@ -118,6 +118,76 @@ function Get-CheckHTAEnabled {
    }
 }
 
+function Get-vlCheckWindowsRecallStatusCU {
+   <#
+    .SYNOPSIS
+        Checks if Windows Recall is enabled for the current user.
+    .DESCRIPTION
+        Windows Recall is a feature for Copilot+ PCs that creates a timeline of user activity by taking snapshots of the desktop and processing them using AI.
+
+        https://support.microsoft.com/en-us/windows/retrace-your-steps-with-recall-aa03f8a0-a78b-4b3e-b0a1-2eb8ac48701c
+        https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsai#disableaidataanalysis
+    .OUTPUTS
+         PSCustomObject
+         enabled: true if enabled, false if not
+    .EXAMPLE
+         Get-vlCheckWindowsRecallStatusCU
+    #>
+
+   try {
+      <#
+         0 (Default)	Enable saving Snapshots for Windows.
+         1	Disable saving Snapshots for Windows
+      #>
+      $riskScore = 50
+
+      if (Test-Path "HKCU:\SOFTWARE\Policies\Microsoft\Windows\WindowsAI") {
+         $value = Get-vlRegValue -Hive "HKCU" -Path "SOFTWARE\Policies\Microsoft\Windows\WindowsAI" -Value "DisableAIDataAnalysis"
+
+         if ($null -eq $value -or $value -eq 0) {
+            $result = [PSCustomObject]@{
+               Enabled = $true
+            }
+
+            return New-vlResultObject -result $result -score 0 -riskScore $riskScore
+         }
+         else {
+            $result = [PSCustomObject]@{
+               Enabled = $false
+            }
+            return New-vlResultObject -result $result -score 10 -riskScore $riskScore
+         }
+      }
+
+      if (Test-Path "HKCU:\SOFTWARE\Microsoft\Windows\WindowsAI") {
+         $value = Get-vlRegValue -Hive "HKCU" -Path "SOFTWARE\Microsoft\Windows\WindowsAI" -Value "DisableAIDataAnalysis"
+
+         if ($null -eq $value -or $value -eq 0) {
+            $result = [PSCustomObject]@{
+               Enabled = $true
+            }
+
+            return New-vlResultObject -result $result -score 0 -riskScore $riskScore
+         }
+         else {
+            $result = [PSCustomObject]@{
+               Enabled = $false
+            }
+            return New-vlResultObject -result $result -score 10 -riskScore $riskScore
+         }
+      }
+
+      $result = [PSCustomObject]@{
+         Enabled = $false
+      }
+
+      return New-vlResultObject -result $result -score 10 -riskScore $riskScore
+   }
+   catch {
+      return New-vlErrorObject -context $_
+   }
+}
+
 function Get-WindowsConfigurationCheck {
    #set $params to $global:args or if empty default "all"
    $params = if ($global:args) { $global:args } else { "all" }
@@ -139,6 +209,20 @@ function Get-WindowsConfigurationCheck {
       }
    }
 
+   if ($params.Contains("all") -or $params.Contains("WCCURecallStatus")) {
+      $checkWindowsRecallStatus = Get-vlCheckWindowsRecallStatusCU
+      $Output += [PSCustomObject]@{
+         Name         = "WCCURecallStatus"
+         DisplayName  = "WindowsConfiguration Recall status - User"
+         Description  = "[Experimental] This test determines the status of Windows Recall, a feature introduced with Windows 11 24H2 that creates a timeline of user activity by capturing desktop screenshots. Attackers could potentially exploit the collected data by extracting sensitive information."
+         Score        = $checkWindowsRecallStatus.Score
+         ResultData   = $checkWindowsRecallStatus.Result
+         RiskScore    = $checkWindowsRecallStatus.RiskScore
+         ErrorCode    = $checkWindowsRecallStatus.ErrorCode
+         ErrorMessage = $checkWindowsRecallStatus.ErrorMessage
+      }
+   }
+
    return $output
 }
 

diff --git a/config/uberAgent-ESA-si-vastlimits-windows.conf b/config/uberAgent-ESA-si-vastlimits-windows.conf
@@ -164,7 +164,7 @@ Name = WindowsConfiguration-User
 ScriptId = 13270F6B-7160-4629-90C4-F36E621D43F9
 Category = WindowsConfiguration
 ScriptTimeoutMs = 600000
-ScriptCommandline = "###UA_SI_LOCALPATH###\WindowsConfiguration\WindowsConfiguration-User.ps1" uberAgent-SCI WCHta
+ScriptCommandline = "###UA_SI_LOCALPATH###\WindowsConfiguration\WindowsConfiguration-User.ps1" uberAgent-SCI WCHta WCCURecallStatus
 Interpreter = PowerShell
 ScriptContext = UserSessionAsUser
 IntegrityLevel = Medium + AllowChildProcesses=3