From 7c3cbf92df2f71e0c90871c16e6ac329949b7ee5 Mon Sep 17 00:00:00 2001
From: z00t <faisalusuf@users.noreply.github.com>
Date: Fri, 29 Nov 2024 14:09:27 +0400
Subject: [PATCH] Based on new threat intel two rules are added.

---
 .../dns_query_win_microsoft_quickassist.yml   | 26 +++++++++++++++++++
 .../proc_creation_win_quick_assist.yml        | 24 +++++++++++++++++
 2 files changed, 50 insertions(+)
 create mode 100644 rules/windows/dns_query/dns_query_win_microsoft_quickassist.yml
 create mode 100644 rules/windows/process_creation/proc_creation_win_quick_assist.yml

diff --git a/rules/windows/dns_query/dns_query_win_microsoft_quickassist.yml b/rules/windows/dns_query/dns_query_win_microsoft_quickassist.yml
new file mode 100644
index 00000000000..914d320e62a
--- /dev/null
+++ b/rules/windows/dns_query/dns_query_win_microsoft_quickassist.yml
@@ -0,0 +1,26 @@
+title: Dns Query Win Microsoft Quickassist
+id: 882e858a-3233-4ba8-855e-2f3d3575803d
+status: test
+description: Detects Microsoft Quick Assist primary endpoint that is used to establish a session.
+references:
+    - https://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware/
+    - https://www.linkedin.com/posts/kevin-beaumont-security_ive-been-assisting-a-few-orgs-hit-with-successful-activity-7268055739116445701-xxjZ/
+    - https://x.com/cyb3rops/status/1862406110365245506
+    - https://learn.microsoft.com/en-us/windows/client-management/client-tools/quick-assist
+author: Muhammad Faisal (@faisalusuf)
+date: 2024-11-29
+tags:
+    - attack.t1071.001
+    - attack.t1210
+    - attack.initial-access
+logsource:
+    category: dns_query
+    product: windows
+detection:
+    selection:
+        QueryName|endswith: 'remoteassistance.support.services.microsoft.com'
+        Image|endswith: '\quickassist.exe'
+    condition: selection
+falsepositives:
+    - Legitimate use of Quick Assist in the environment.
+level: medium
\ No newline at end of file
diff --git a/rules/windows/process_creation/proc_creation_win_quick_assist.yml b/rules/windows/process_creation/proc_creation_win_quick_assist.yml
new file mode 100644
index 00000000000..941f3571f95
--- /dev/null
+++ b/rules/windows/process_creation/proc_creation_win_quick_assist.yml
@@ -0,0 +1,24 @@
+title: Proc Creation Win Quick Assist
+id: e20b5b14-ce93-4230-88af-981983ef6e74
+status: test
+description: Detects the use of Microsoft Quick Assist tool. Which can be used by attackers to gain remote access.
+references:
+    - https://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware/
+    - https://www.linkedin.com/posts/kevin-beaumont-security_ive-been-assisting-a-few-orgs-hit-with-successful-activity-7268055739116445701-xxjZ/
+    - https://x.com/cyb3rops/status/1862406110365245506
+    - https://learn.microsoft.com/en-us/windows/client-management/client-tools/quick-assist
+author: Muhammad Faisal (@faisalusuf)
+date: 2024-11-29
+tags:
+    - attack.command-and-control
+    - attack.t1219
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        - Image|endswith: '\quickassist.exe'
+    condition: selection
+falsepositives:
+    - Legitimate use of Quick Assist in the environment
+level: medium
\ No newline at end of file