Windows Recovery Environment Disabled Via Reagentc

Original Source: [Sigma source]

Title: Windows Recovery Environment Disabled Via Reagentc
Status: experimental
Description:Detects attempts to disable windows recovery environment using Reagentc. ReAgentc.exe is a command-line tool in Windows used to manage the Windows Recovery Environment (WinRE). It allows users to enable, disable, and configure WinRE, which is used for troubleshooting and repairing common boot issues.
References:
-https://www.elastic.co/security-labs/maas-appeal-an-infostealer-rises-from-the-ashes
-https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/reagentc-command-line-options?view=windows-11
Author: Daniel Koifman (KoifSec), Michael Vilshin
Date: 2025-07-31
modified:None
Tags:

-'attack.impact'
-'attack.t1490'

Logsource:

category: process_creation
product: windows

Detection:
selection_img:
Image|endswith:'\reagentc.exe' OriginalFileName:'reagentc.exe' selection_cli:
CommandLine|contains|windash: '/disable'
condition:all of selection_*
Falsepositives:
-Legitimate administrative activity
Level: medium

Sign Up to Personalize and Manage Your Detection

Windows Recovery Environment Disabled Via Reagentc