Detectionlowexperimental

DNS Query Request By QuickAssist.EXE

Detects DNS queries initiated by "QuickAssist.exe" to Microsoft Quick Assist primary endpoint that is used to establish a session.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Muhammad FaisalCreated Thu Dec 19882e858a-3233-4ba8-855e-2f3d3575803dwindows

Log Source

WindowsDNS Query

ProductWindows← raw: windows

CategoryDNS Query← raw: dns_query

DNS lookup events generated by endpoint monitoring tools.

Detection Logic

detection:
    selection:
        Image|endswith: '\QuickAssist.exe'
        QueryName|endswith: 'remoteassistance.support.services.microsoft.com'
    condition: selection

False Positives

Legitimate use of Quick Assist in the environment.

References

MITRE ATT&CK

Tactics

TA0011 · Command and Control TA0001 · Initial Access TA0008 · Lateral Movement

Techniques

T1210 · Exploitation of Remote Services

Sub-techniques

T1071.001 · Web Protocols

Rule Metadata

Rule ID

882e858a-3233-4ba8-855e-2f3d3575803d

Status

experimental

Level

low

Type

Detection

Created

Thu Dec 19

Author

Muhammad Faisal

Path

rules/windows/dns_query/dns_query_win_quickassist.yml

Raw Tags

attack.command-and-controlattack.initial-accessattack.lateral-movementattack.t1071.001attack.t1210

View on GitHub