Windows Recovery Environment Disabled Via Reagentc

Rule Info

Name
Windows Recovery Environment Disabled Via Reagentc
Author
Daniel Koifman (KoifSec), Michael Vilshin
Description
Detects attempts to disable windows recovery environment using Reagentc. ReAgentc.exe is a command-line tool in Windows used to manage the Windows Recovery Environment (WinRE). It allows users to enable, disable, and configure WinRE, which is used for troubleshooting and repairing common boot issues.
Reference
https://www.elastic.co/security-labs/maas-appeal-an-infostealer-rises-from-the-ashes
Date
2025-07-31 00:00:00
Modified
None
Id
db1c21e4-cd66-4b4e-85ca-590f0780529c
Tags
attack.impact attack.t1490
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=db1c21e4-cd66-4b4e-85ca-590f0780529c

Rule History

Author
Title
Date
Commit
Koifman
Merge PR #5569 from @Koifman - Add `Windows Recovery Environment Disabled Via Reagentc`
2025-08-14
631a23d33
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022