← Back to Explore
sigmamediumHunting
Windows Recovery Environment Disabled Via Reagentc
Detects attempts to disable windows recovery environment using Reagentc. ReAgentc.exe is a command-line tool in Windows used to manage the Windows Recovery Environment (WinRE). It allows users to enable, disable, and configure WinRE, which is used for troubleshooting and repairing common boot issues.
Detection Query
selection_img:
- Image|endswith: \reagentc.exe
- OriginalFileName: reagentc.exe
selection_cli:
CommandLine|contains|windash: /disable
condition: all of selection_*
Author
Daniel Koifman (KoifSec), Michael Vilshin
Created
2025-07-31
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.impactattack.t1490
Raw Content
title: Windows Recovery Environment Disabled Via Reagentc
id: db1c21e4-cd66-4b4e-85ca-590f0780529c
status: experimental
description: |
Detects attempts to disable windows recovery environment using Reagentc.
ReAgentc.exe is a command-line tool in Windows used to manage the Windows Recovery Environment (WinRE).
It allows users to enable, disable, and configure WinRE, which is used for troubleshooting and repairing common boot issues.
references:
- https://www.elastic.co/security-labs/maas-appeal-an-infostealer-rises-from-the-ashes
- https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/reagentc-command-line-options?view=windows-11
author: Daniel Koifman (KoifSec), Michael Vilshin
date: 2025-07-31
tags:
- attack.impact
- attack.t1490
logsource:
category: process_creation
product: windows
detection:
selection_img: # Example command simulated: reagentc /disable
- Image|endswith: '\reagentc.exe'
- OriginalFileName: 'reagentc.exe'
selection_cli:
CommandLine|contains|windash: '/disable'
condition: all of selection_*
falsepositives:
- Legitimate administrative activity
level: medium