DNS Query Request By QuickAssist.EXE

Original Source: [Sigma source]

Title: DNS Query Request By QuickAssist.EXE
Status: experimental
Description:Detects DNS queries initiated by "QuickAssist.exe" to Microsoft Quick Assist primary endpoint that is used to establish a session.
References:
-https://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware/
-https://www.linkedin.com/posts/kevin-beaumont-security_ive-been-assisting-a-few-orgs-hit-with-successful-activity-7268055739116445701-xxjZ/
-https://x.com/cyb3rops/status/1862406110365245506
-https://learn.microsoft.com/en-us/windows/client-management/client-tools/quick-assist
Author: Muhammad Faisal (@faisalusuf)
Date: 2024-12-19
modified:None
Tags:

-'attack.initial-access'
-'attack.t1071.001'
-'attack.t1210'

Logsource:

category: dns_query
product: windows

Detection:
selection:
Image|endswith: '\QuickAssist.exe'
QueryName|endswith: 'remoteassistance.support.services.microsoft.com'
condition:selection
Falsepositives:
-Legitimate use of Quick Assist in the environment.
Level: low

Sign Up to Personalize and Manage Your Detection

DNS Query Request By QuickAssist.EXE