DNS Query Request By QuickAssist.EXE
Detects DNS queries initiated by "QuickAssist.exe" to Microsoft Quick Assist primary endpoint that is used to establish a session.
Sigma rule (View on GitHub)
1title: DNS Query Request By QuickAssist.EXE
2id: 882e858a-3233-4ba8-855e-2f3d3575803d
3status: experimental
4description: |
5 Detects DNS queries initiated by "QuickAssist.exe" to Microsoft Quick Assist primary endpoint that is used to establish a session.
6references:
7 - https://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware/
8 - https://www.linkedin.com/posts/kevin-beaumont-security_ive-been-assisting-a-few-orgs-hit-with-successful-activity-7268055739116445701-xxjZ/
9 - https://x.com/cyb3rops/status/1862406110365245506
10 - https://learn.microsoft.com/en-us/windows/client-management/client-tools/quick-assist
11author: Muhammad Faisal (@faisalusuf)
12date: 2024-12-19
13tags:
14 - attack.command-and-control
15 - attack.initial-access
16 - attack.lateral-movement
17 - attack.t1071.001
18 - attack.t1210
19logsource:
20 category: dns_query
21 product: windows
22detection:
23 selection:
24 Image|endswith: '\QuickAssist.exe'
25 QueryName|endswith: 'remoteassistance.support.services.microsoft.com'
26 condition: selection
27falsepositives:
28 - Legitimate use of Quick Assist in the environment.
29level: low
References
-
Microsoft Threat Intelligence has observed Storm-1811 misusing the client management tool Quick Assist to target users in social engineering attacks that lead to malware like Qakbot followed by Black Basta ransomware deployment.
Read More -
I've been assisting a few orgs hit with successful ransomware deployment lately where two newish things are at play - sharing is caring. They're doing initial recon over the phone for contact details, then flooding the users with email and/or Teams spam (think thousands of messages an hour). Then they phone up and pretend to be from IT to stop the spam - they use Microsoft Quick Assist to take remote control of the system, and install an SSH reverse shell backdoor, and stop the spam run. From there they hand off to another team, who move laterally and get domain admin, then another team does exfiltration and another encrypts. Two key learnings: - Get users to report very high volumes of spam to local IT support, and not accept blind calls to help - verify somehow. - Microsoft Quick Assist is installed *by default* in Windows 10 and 11, including in the Professional and Enterprise SKUs, and traverses firewalls and VPNs by design. To check your system, Windows key - type Quick and look for Quick Assist. All it takes to connect for a remote attacker is a 6 digit PIN. Remove the feature centrally, it's a big loophole. | 110 comments on LinkedIn
Read More -
Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.
Read More -
Related rules
- Apache Threading Error
- OMIGOD HTTP No Authentication RCE
- Terminal Service Process Spawn
- OpenCanary - FTP Login Attempt
- Possible Exploitation of Exchange RCE CVE-2021-42321