Home/Quick Assist/Sigma rules
Sigma

Sigma rules for Quick Assist

2 rules · scoped to tool · back to Quick Assist
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.

Detection rules

2 of 2
direct low
DNS Query Request By QuickAssist.EXE
Detects DNS queries initiated by "QuickAssist.exe" to Microsoft Quick Assist primary endpoint that is used to establish a session.
status experimental author Muhammad Faisal (@faisalusuf) id 882e858a-3233-4ba8-855e-2f3d3575803d license Sigma · DRL-1.1
view Sigma YAML 
title: DNS Query Request By QuickAssist.EXE
id: 882e858a-3233-4ba8-855e-2f3d3575803d
status: experimental
description: |
    Detects DNS queries initiated by "QuickAssist.exe" to Microsoft Quick Assist primary endpoint that is used to establish a session.
references:
    - https://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware/
    - https://www.linkedin.com/posts/kevin-beaumont-security_ive-been-assisting-a-few-orgs-hit-with-successful-activity-7268055739116445701-xxjZ/
    - https://x.com/cyb3rops/status/1862406110365245506
    - https://learn.microsoft.com/en-us/windows/client-management/client-tools/quick-assist
author: Muhammad Faisal (@faisalusuf)
date: 2024-12-19
tags:
    - attack.command-and-control
    - attack.initial-access
    - attack.lateral-movement
    - attack.t1071.001
    - attack.t1210
logsource:
    category: dns_query
    product: windows
detection:
    selection:
        Image|endswith: '\QuickAssist.exe'
        QueryName|endswith: 'remoteassistance.support.services.microsoft.com'
    condition: selection
falsepositives:
    - Legitimate use of Quick Assist in the environment.
level: low
direct low
QuickAssist Execution
Detects the execution of Microsoft Quick Assist tool "QuickAssist.exe". This utility can be used by attackers to gain remote access.
status experimental author Muhammad Faisal (@faisalusuf) id e20b5b14-ce93-4230-88af-981983ef6e74 license Sigma · DRL-1.1
view Sigma YAML 
title: QuickAssist Execution
id: e20b5b14-ce93-4230-88af-981983ef6e74
status: experimental
description: |
    Detects the execution of Microsoft Quick Assist tool "QuickAssist.exe". This utility can be used by attackers to gain remote access.
references:
    - https://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware/
    - https://www.linkedin.com/posts/kevin-beaumont-security_ive-been-assisting-a-few-orgs-hit-with-successful-activity-7268055739116445701-xxjZ/
    - https://x.com/cyb3rops/status/1862406110365245506
    - https://learn.microsoft.com/en-us/windows/client-management/client-tools/quick-assist
author: Muhammad Faisal (@faisalusuf)
date: 2024-12-19
tags:
    - attack.command-and-control
    - attack.t1219.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\QuickAssist.exe'
    condition: selection
falsepositives:
    - Legitimate use of Quick Assist in the environment.
level: low
Showing 1-2 of 2
Prev 1 Next
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin