DNS Query Request By QuickAssist.EXE
Detects DNS queries initiated by "QuickAssist.exe" to Microsoft Quick Assist primary endpoint that is used to establish a session.
Sigma rule (View on GitHub)
1title: DNS Query Request By QuickAssist.EXE
2id: 882e858a-3233-4ba8-855e-2f3d3575803d
3status: experimental
4description: |
5 Detects DNS queries initiated by "QuickAssist.exe" to Microsoft Quick Assist primary endpoint that is used to establish a session.
6references:
7 - https://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware/
8 - https://www.linkedin.com/posts/kevin-beaumont-security_ive-been-assisting-a-few-orgs-hit-with-successful-activity-7268055739116445701-xxjZ/
9 - https://x.com/cyb3rops/status/1862406110365245506
10 - https://learn.microsoft.com/en-us/windows/client-management/client-tools/quick-assist
11author: Muhammad Faisal (@faisalusuf)
12date: 2024-12-19
13tags:
14 - attack.initial-access
15 - attack.t1071.001
16 - attack.t1210
17logsource:
18 category: dns_query
19 product: windows
20detection:
21 selection:
22 Image|endswith: '\QuickAssist.exe'
23 QueryName|endswith: 'remoteassistance.support.services.microsoft.com'
24 condition: selection
25falsepositives:
26 - Legitimate use of Quick Assist in the environment.
27level: low
References
-
Microsoft Threat Intelligence has observed Storm-1811 misusing the client management tool Quick Assist to target users in social engineering attacks that lead to malware like Qakbot followed by Black Basta ransomware deployment.
Read More -
I've been assisting a few orgs hit with successful ransomware deployment lately where two newish things are at play - sharing is caring. They're doing… | 108 comments on LinkedIn
Read More -
Related rules
- Apache Threading Error
- OMIGOD HTTP No Authentication RCE
- Terminal Service Process Spawn
- Ursnif Malware C2 URL Pattern
- Suspicious Processes Spawned by Java.EXE