QuickAssist Execution

    Friday, December 20, 2024 In: Threat Research Print

    Date: 12/20/2024

    Severity: Medium

    Summary

    "QuickAssist Execution" refers to the detection of the execution of the Microsoft Quick Assist tool ("QuickAssist.exe"). This utility is designed for remote assistance, allowing users to receive or provide support. However, attackers can exploit it to gain unauthorized remote access to a victim's system. The detection highlights its potential misuse in cyberattacks, signaling the need for monitoring and protection against such threats.

    Indicators of Compromise (IOC) List

    Processname

    '\QuickAssist.exe'

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    (resourcename in ("Windows Security") AND eventtype = "4688") AND processname = "\QuickAssist.exe"

    Detection Query 2

    technologygroup = "EDR" AND processname = "\QuickAssist.exe"

    Reference: 

    https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_quickassist_execution.yml  


    Tags

    SigmaMalwareQuickAssist

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2024 by Gurucul - All rights reserved.