Quick Assist Full Control Sharing Mode Enabled

  1[metadata]
  2creation_date = "2026/06/21"
  3integration = ["system", "windows"]
  4maturity = "production"
  5updated_date = "2026/06/21"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies when Microsoft Quick Assist sharing mode is set to FullControl on a Windows host. This grants the remote
 11helper full interactive control of the target device and may indicate IT help desk fraud, unauthorized remote access,
 12or lateral movement preparation.
 13"""
 14from = "now-9m"
 15index = ["logs-system.application*", "logs-windows.forwarded*", "winlogbeat-*"]
 16language = "kuery"
 17license = "Elastic License v2"
 18name = "Quick Assist Full Control Sharing Mode Enabled"
 19references = [
 20    "https://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware/",
 21	"https://attack.mitre.org/software/S1209/"
 22]
 23risk_score = 47
 24rule_id = "1b1b4236-175f-4863-89f7-7f0d2da0f0e8"
 25severity = "medium"
 26tags = [
 27    "Domain: Endpoint",
 28    "OS: Windows",
 29    "Use Case: Threat Detection",
 30    "Tactic: Command and Control",
 31    "Tactic: Lateral Movement",
 32    "Data Source: Windows Application Event Logs",
 33    "Resources: Investigation Guide",
 34]
 35timestamp_override = "event.ingested"
 36type = "query"
 37
 38query = '''
 39host.os.type:windows and winlog.channel:"Application" and event.provider:"Quick Assist" and event.code:"0" and
 40  winlog.event_data.param1:(*FullControl* and *setsharingmode*)
 41'''
 42
 43note = """## Triage and analysis
 44
 45### Investigating Quick Assist Full Control Sharing Mode Enabled
 46
 47Microsoft Quick Assist is a built-in remote support tool. When a sharer grants FullControl, the helper can interact with
 48the desktop as if physically present. Adversaries abuse Quick Assist in help desk fraud and social engineering to gain
 49interactive access without deploying separate remote access software.
 50
 51Quick Assist logs these transitions in the Windows Application log under the Quick Assist provider. A `setsharingmode`
 52command with sharing mode `FullControl` is written to `winlog.event_data.param1`, often alongside a JSON payload that
 53includes `"result":"true"` when consent is granted.
 54
 55#### Possible investigation steps
 56
 57- Review `winlog.event_data.param1` and any related Quick Assist Application log events around `@timestamp` for
 58  `beginsharing`, `setsharingmode`, and `endsharing` commands to reconstruct the session timeline.
 59- Identify the local user on `host.id` who initiated or approved the session and determine whether Quick Assist use is
 60  expected for that user, host role, or business unit.
 61- Correlate with process telemetry for `QuickAssist.exe` on the same host and timeframe, including parent process,
 62  command line, and code signature details when available.
 63- Check for related alerts on the same `host.id` or `user.id`, such as credential access, defense evasion, or
 64  additional remote access activity during or shortly after the session.
 65- If the host is a server or privileged workstation, determine whether any follow-on actions occurred during the
 66  FullControl window, such as new logons, service creation, or lateral movement.
 67
 68### False positive analysis
 69
 70- IT help desk, managed service providers, and internal support teams legitimately use Quick Assist with FullControl
 71  during approved troubleshooting. Confirm the session aligns with an open ticket, known support staff, and expected
 72  host and user pairings before closing as benign.
 73- Before creating an exception, anchor it on the minimum confirmed workflow: `host.id`, `user.id`, and recurring
 74  support patterns. Avoid broad exceptions on the Quick Assist provider alone.
 75
 76### Response and remediation
 77
 78- If confirmed malicious, terminate the Quick Assist session, isolate the affected host when feasible, and reset
 79  credentials for accounts used or exposed during the session.
 80- Preserve Application log events containing `winlog.event_data.param1` and related Quick Assist telemetry before
 81  remediation.
 82- Review whether Quick Assist should remain enabled organization-wide or be restricted via policy for high-value hosts.
 83- Hunt for additional hosts where the same remote helper pattern or concurrent Quick Assist FullControl sessions
 84  occurred."""
 85
 86setup = """## Setup
 87
 88Windows Application event log collection must be enabled via the Elastic Agent System integration to ingest Application log events.
 89"""
 90
 91[rule.investigation_fields]
 92field_names = [
 93    "@timestamp",
 94    "host.id",
 95    "host.name",
 96    "user.id",
 97    "user.name",
 98    "event.provider",
 99    "event.code",
100    "winlog.event_id",
101    "winlog.event_data.param1",
102]
103
104[[rule.threat]]
105framework = "MITRE ATT&CK"
106
107[[rule.threat.technique]]
108id = "T1219"
109name = "Remote Access Tools"
110reference = "https://attack.mitre.org/techniques/T1219/"
111
112[rule.threat.tactic]
113id = "TA0011"
114name = "Command and Control"
115reference = "https://attack.mitre.org/tactics/TA0011/"
116
117[[rule.threat]]
118framework = "MITRE ATT&CK"
119
120[[rule.threat.technique]]
121id = "T1021"
122name = "Remote Services"
123reference = "https://attack.mitre.org/techniques/T1021/"
124
125[rule.threat.tactic]
126id = "TA0008"
127name = "Lateral Movement"
128reference = "https://attack.mitre.org/tactics/TA0008/"