Loading

Quick Assist Full Control Sharing Mode Enabled

Identifies when Microsoft Quick Assist sharing mode is set to FullControl on a Windows host. This grants the remote helper full interactive control of the target device and may indicate IT help desk fraud, unauthorized remote access, or lateral movement preparation.

Rule type: query
Rule indices:

  • logs-system.application*
  • logs-windows.forwarded*
  • winlogbeat-*

Rule Severity: medium
Risk Score: 47
Runs every:
Searches indices from: now-9m
Maximum alerts per execution: 100
References:

Tags:

  • Domain: Endpoint
  • OS: Windows
  • Use Case: Threat Detection
  • Tactic: Command and Control
  • Tactic: Lateral Movement
  • Data Source: Windows Application Event Logs
  • Resources: Investigation Guide

Version: 1
Rule authors:

  • Elastic

Rule license: Elastic License v2

Windows Application event log collection must be enabled via the Elastic Agent System integration to ingest Application log events.

Microsoft Quick Assist is a built-in remote support tool. When a sharer grants FullControl, the helper can interact with the desktop as if physically present. Adversaries abuse Quick Assist in help desk fraud and social engineering to gain interactive access without deploying separate remote access software.

Quick Assist logs these transitions in the Windows Application log under the Quick Assist provider. A setsharingmode command with sharing mode FullControl is written to winlog.event_data.param1, often alongside a JSON payload that includes "result":"true" when consent is granted.

  • Review winlog.event_data.param1 and any related Quick Assist Application log events around @timestamp for beginsharing, setsharingmode, and endsharing commands to reconstruct the session timeline.
  • Identify the local user on host.id who initiated or approved the session and determine whether Quick Assist use is expected for that user, host role, or business unit.
  • Correlate with process telemetry for QuickAssist.exe on the same host and timeframe, including parent process, command line, and code signature details when available.
  • Check for related alerts on the same host.id or user.id, such as credential access, defense evasion, or additional remote access activity during or shortly after the session.
  • If the host is a server or privileged workstation, determine whether any follow-on actions occurred during the FullControl window, such as new logons, service creation, or lateral movement.
  • IT help desk, managed service providers, and internal support teams legitimately use Quick Assist with FullControl during approved troubleshooting. Confirm the session aligns with an open ticket, known support staff, and expected host and user pairings before closing as benign.
  • Before creating an exception, anchor it on the minimum confirmed workflow: host.id, user.id, and recurring support patterns. Avoid broad exceptions on the Quick Assist provider alone.
  • If confirmed malicious, terminate the Quick Assist session, isolate the affected host when feasible, and reset credentials for accounts used or exposed during the session.
  • Preserve Application log events containing winlog.event_data.param1 and related Quick Assist telemetry before remediation.
  • Review whether Quick Assist should remain enabled organization-wide or be restricted via policy for high-value hosts.
  • Hunt for additional hosts where the same remote helper pattern or concurrent Quick Assist FullControl sessions occurred.
host.os.type:windows and winlog.channel:"Application" and event.provider:"Quick Assist" and event.code:"0" and
  winlog.event_data.param1:(*FullControl* and *setsharingmode*)
		

Framework: MITRE ATT&CK

Framework: MITRE ATT&CK