Rule Info
Name
Windows Recovery Environment Disabled Via Reagentc
Author
Daniel Koifman (KoifSec), Michael Vilshin
Description
Detects attempts to disable windows recovery environment using Reagentc.
ReAgentc.exe is a command-line tool in Windows used to manage the Windows Recovery Environment (WinRE).
It allows users to enable, disable, and configure WinRE, which is used for troubleshooting and repairing common boot issues.
Date
2025-07-31 00:00:00
Modified
None
Id
db1c21e4-cd66-4b4e-85ca-590f0780529c
Tags
attack.impact attack.t1490
Type
Community Rule
Link to Public Repo
Rule History
Author
Title
Date
Commit
phantinuss
Merge PR #5630 from @phantinuss - Revert "chore: improve windash order in modifiers"
2025-08-28
phantinuss
Merge PR #5628 from @phantinuss - chore: improve windash order in modifiers
2025-08-26
Koifman
Merge PR #5569 from @Koifman - Add `Windows Recovery Environment Disabled Via Reagentc`
2025-08-14
Scan your endpoints, forensic images or collected files with our portable scanner THOR