From 8e8b86aab9cc837d5f8d2c828984270ad7d00f84 Mon Sep 17 00:00:00 2001
From: z00t <faisalusuf@users.noreply.github.com>
Date: Thu, 19 Dec 2024 21:07:19 +0400
Subject: [PATCH] Merge PR #5095 from @faisalusuf - Add new rules related to
 QuickAssist usage

new: QuickAssist Execution
new: DNS Query Request By QuickAssist.EXE
---------

Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
---
 .../dns_query/dns_query_win_quickassist.yml   | 27 +++++++++++++++++++
 ...roc_creation_win_quickassist_execution.yml | 25 +++++++++++++++++
 2 files changed, 52 insertions(+)
 create mode 100644 rules/windows/dns_query/dns_query_win_quickassist.yml
 create mode 100644 rules/windows/process_creation/proc_creation_win_quickassist_execution.yml

diff --git a/rules/windows/dns_query/dns_query_win_quickassist.yml b/rules/windows/dns_query/dns_query_win_quickassist.yml
new file mode 100644
index 00000000000..4ec687d3caf
--- /dev/null
+++ b/rules/windows/dns_query/dns_query_win_quickassist.yml
@@ -0,0 +1,27 @@
+title: DNS Query Request By QuickAssist.EXE
+id: 882e858a-3233-4ba8-855e-2f3d3575803d
+status: experimental
+description: |
+    Detects DNS queries initiated by "QuickAssist.exe" to Microsoft Quick Assist primary endpoint that is used to establish a session.
+references:
+    - https://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware/
+    - https://www.linkedin.com/posts/kevin-beaumont-security_ive-been-assisting-a-few-orgs-hit-with-successful-activity-7268055739116445701-xxjZ/
+    - https://x.com/cyb3rops/status/1862406110365245506
+    - https://learn.microsoft.com/en-us/windows/client-management/client-tools/quick-assist
+author: Muhammad Faisal (@faisalusuf)
+date: 2024-12-19
+tags:
+    - attack.initial-access
+    - attack.t1071.001
+    - attack.t1210
+logsource:
+    category: dns_query
+    product: windows
+detection:
+    selection:
+        Image|endswith: '\QuickAssist.exe'
+        QueryName|endswith: 'remoteassistance.support.services.microsoft.com'
+    condition: selection
+falsepositives:
+    - Legitimate use of Quick Assist in the environment.
+level: low
diff --git a/rules/windows/process_creation/proc_creation_win_quickassist_execution.yml b/rules/windows/process_creation/proc_creation_win_quickassist_execution.yml
new file mode 100644
index 00000000000..78987739d6f
--- /dev/null
+++ b/rules/windows/process_creation/proc_creation_win_quickassist_execution.yml
@@ -0,0 +1,25 @@
+title: QuickAssist Execution
+id: e20b5b14-ce93-4230-88af-981983ef6e74
+status: experimental
+description: |
+    Detects the execution of Microsoft Quick Assist tool "QuickAssist.exe". This utility can be used by attackers to gain remote access.
+references:
+    - https://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware/
+    - https://www.linkedin.com/posts/kevin-beaumont-security_ive-been-assisting-a-few-orgs-hit-with-successful-activity-7268055739116445701-xxjZ/
+    - https://x.com/cyb3rops/status/1862406110365245506
+    - https://learn.microsoft.com/en-us/windows/client-management/client-tools/quick-assist
+author: Muhammad Faisal (@faisalusuf)
+date: 2024-12-19
+tags:
+    - attack.command-and-control
+    - attack.t1219
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Image|endswith: '\QuickAssist.exe'
+    condition: selection
+falsepositives:
+    - Legitimate use of Quick Assist in the environment.
+level: low