Merge PR #5095 from @faisalusuf - Add new rules related to QuickAssis…

…t usage new: QuickAssist Execution new: DNS Query Request By QuickAssist.EXE --------- Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
SigmaHQ · Dec 19, 2024 · 8e8b86a · 8e8b86a
1 parent a9423d6
commit 8e8b86a
Show file tree

Hide file tree

Showing 2 changed files with 52 additions and 0 deletions.
diff --git a/rules/windows/dns_query/dns_query_win_quickassist.yml b/rules/windows/dns_query/dns_query_win_quickassist.yml
@@ -0,0 +1,27 @@
+title: DNS Query Request By QuickAssist.EXE
+id: 882e858a-3233-4ba8-855e-2f3d3575803d
+status: experimental
+description: |
+    Detects DNS queries initiated by "QuickAssist.exe" to Microsoft Quick Assist primary endpoint that is used to establish a session.
+references:
+    - https://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware/
+    - https://www.linkedin.com/posts/kevin-beaumont-security_ive-been-assisting-a-few-orgs-hit-with-successful-activity-7268055739116445701-xxjZ/
+    - https://x.com/cyb3rops/status/1862406110365245506
+    - https://learn.microsoft.com/en-us/windows/client-management/client-tools/quick-assist
+author: Muhammad Faisal (@faisalusuf)
+date: 2024-12-19
+tags:
+    - attack.initial-access
+    - attack.t1071.001
+    - attack.t1210
+logsource:
+    category: dns_query
+    product: windows
+detection:
+    selection:
+        Image|endswith: '\QuickAssist.exe'
+        QueryName|endswith: 'remoteassistance.support.services.microsoft.com'
+    condition: selection
+falsepositives:
+    - Legitimate use of Quick Assist in the environment.
+level: low
diff --git a/rules/windows/process_creation/proc_creation_win_quickassist_execution.yml b/rules/windows/process_creation/proc_creation_win_quickassist_execution.yml
@@ -0,0 +1,25 @@
+title: QuickAssist Execution
+id: e20b5b14-ce93-4230-88af-981983ef6e74
+status: experimental
+description: |
+    Detects the execution of Microsoft Quick Assist tool "QuickAssist.exe". This utility can be used by attackers to gain remote access.
+references:
+    - https://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware/
+    - https://www.linkedin.com/posts/kevin-beaumont-security_ive-been-assisting-a-few-orgs-hit-with-successful-activity-7268055739116445701-xxjZ/
+    - https://x.com/cyb3rops/status/1862406110365245506
+    - https://learn.microsoft.com/en-us/windows/client-management/client-tools/quick-assist
+author: Muhammad Faisal (@faisalusuf)
+date: 2024-12-19
+tags:
+    - attack.command-and-control
+    - attack.t1219
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Image|endswith: '\QuickAssist.exe'
+    condition: selection
+falsepositives:
+    - Legitimate use of Quick Assist in the environment.
+level: low