Full Report
Even after its refurbishing, Recall provides few ways to exclude specific apps.
Analysis Summary
# Tool/Technique: Windows Recall
## Overview
Windows Recall is an AI feature integrated into Windows 11 that captures, indexes, and stores snapshots of user activity on the desktop every three seconds. This functionality intends to allow users to easily search and recall past activities. Signal, a secure messaging application, has implemented a default block against Recall's screenshotting capabilities for its Windows Desktop application due to privacy risks associated with how Recall operates.
## Technical Details
- Type: Tool (Operating System Feature/Utility)
- Platform: Windows 11
- Capabilities: Periodically screenshots the user's screen, performs Optical Character Recognition (OCR) on the content, and stores this indexed data. The redesigned version is opt-in and stores data encrypted in a secure enclave.
- First Seen: The initial version was introduced around May 2024; the overhauled version mentioned in the context was reintroduced later.
## MITRE ATT&CK Mapping
Since Recall is a legitimate OS feature, the relevant TTPs relate to how adversaries might *exploit* the data it collects, or how applications might *defend* against it.
- **TA0004 - Privilege Escalation** (Potential if an attacker gains access to the Recall data store)
- T1548 - Abuse Elevation Control Mechanism (If system rights allow access to the stored data)
- **TA0009 - Collection** (How Recall itself collects data, which can be leveraged by malware)
- T1113 - Screen Capture (The core mechanism used by Recall)
## Functionality
### Core Capabilities
- Continuous monitoring and capturing of the user interface/screen state at short intervals (e.g., every three seconds).
- Storing indexed data derived from screenshots via OCR.
- Allowing users to search historical screen states.
### Advanced Features
- Encrypted storage of Recall data (in the overhauled version).
- Data keys secured in a separate, secure enclave.
- Inclusion of some user controls to limit indexed content (though critics argue these are insufficient).
## Indicators of Compromise
*Note: As this is a feature of the OS, the scope of traditional IOCs is limited unless an attacker exploits the data store.*
- File Hashes: N/A (OS feature)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: N/A
- Behavioral Indicators: The inherent behavior is constant screen capture, readable by processes with sufficient system rights (before app-level mitigations).
## Associated Threat Actors
While Recall itself is a Microsoft feature, messaging apps like Signal are flagging it because threat actors could potentially exploit the data captured by Recall if they compromise the user's machine, allowing them to read sensitive information visible on the screen, including Signal messages.
## Detection Methods
*Focus shifts to detecting unauthorized access to the Recall data store or monitoring for unexpected screen capture activity.*
- Signature-based detection: Not applicable for the feature itself.
- Behavioral detection: Monitoring processes attempting to access the protected Recall database location or abnormal background process load associated with periodic capture/indexing services.
- YARA rules: Not applicable.
## Mitigation Strategies
- **For Application Developers (like Signal):** Implement application-level protections to prevent OS features from capturing application windows, often by disabling UI composition features or utilizing specific Windows APIs designed to block screenshots. Signal enables a default block on screenshots for its Desktop app.
- **For Users:**
- Ensure Recall is explicitly opted out of (though the context notes the rebooted version is opt-in by default).
- Review and customize the allowed/disallowed applications within Recall settings.
- Restrict which applications have sufficient system rights to access the Recall data store if Microsoft's enclave protections are deemed insufficient.
## Related Tools/Techniques
- **Screen Scraping Malware:** Malicious software designed to achieve the same end goal (capturing screen contents) without the user's knowledge.
- **Keyloggers/Infostealers:** Tools that often work in conjunction with screen capture to gather all user inputs and displayed data.