LoFP LoFP / legitimate use of quick assist in the environment.

Techniques

Sample rules

DNS Query Request By QuickAssist.EXE

Description

Detects DNS queries initiated by “QuickAssist.exe” to Microsoft Quick Assist primary endpoint that is used to establish a session.

Detection logic

condition: selection
selection:
  Image|endswith: \QuickAssist.exe
  QueryName|endswith: remoteassistance.support.services.microsoft.com

QuickAssist Execution

Description

Detects the execution of Microsoft Quick Assist tool “QuickAssist.exe”. This utility can be used by attackers to gain remote access.

Detection logic

condition: selection
selection:
  Image|endswith: \QuickAssist.exe