Quick Assist Full Control Sharing Mode Enabled

IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

Quick Assist Full Control Sharing Mode Enabled

Identifies when Microsoft Quick Assist sharing mode is set to FullControl on a Windows host. This grants the remote helper full interactive control of the target device and may indicate IT help desk fraud, unauthorized remote access, or lateral movement preparation.

Rule type: query

Rule indices:

logs-system.application*
logs-windows.forwarded*
winlogbeat-*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Command and Control
Tactic: Lateral Movement
Data Source: Windows Application Event Logs
Resources: Investigation Guide

Version: 1

Rule authors:

Elastic

Rule license: Elastic License v2

Investigation guide

edit

Triage and analysis

Investigating Quick Assist Full Control Sharing Mode Enabled

Microsoft Quick Assist is a built-in remote support tool. When a sharer grants FullControl, the helper can interact with the desktop as if physically present. Adversaries abuse Quick Assist in help desk fraud and social engineering to gain interactive access without deploying separate remote access software.

Quick Assist logs these transitions in the Windows Application log under the Quick Assist provider. A setsharingmode command with sharing mode FullControl is written to winlog.event_data.param1, often alongside a JSON payload that includes "result":"true" when consent is granted.

Possible investigation steps

Review winlog.event_data.param1 and any related Quick Assist Application log events around @timestamp for beginsharing, setsharingmode, and endsharing commands to reconstruct the session timeline.
Identify the local user on host.id who initiated or approved the session and determine whether Quick Assist use is expected for that user, host role, or business unit.
Correlate with process telemetry for QuickAssist.exe on the same host and timeframe, including parent process, command line, and code signature details when available.
Check for related alerts on the same host.id or user.id, such as credential access, defense evasion, or additional remote access activity during or shortly after the session.
If the host is a server or privileged workstation, determine whether any follow-on actions occurred during the FullControl window, such as new logons, service creation, or lateral movement.

False positive analysis

IT help desk, managed service providers, and internal support teams legitimately use Quick Assist with FullControl during approved troubleshooting. Confirm the session aligns with an open ticket, known support staff, and expected host and user pairings before closing as benign.
Before creating an exception, anchor it on the minimum confirmed workflow: host.id, user.id, and recurring support patterns. Avoid broad exceptions on the Quick Assist provider alone.

Response and remediation

If confirmed malicious, terminate the Quick Assist session, isolate the affected host when feasible, and reset credentials for accounts used or exposed during the session.
Preserve Application log events containing winlog.event_data.param1 and related Quick Assist telemetry before remediation.
Review whether Quick Assist should remain enabled organization-wide or be restricted via policy for high-value hosts.
Hunt for additional hosts where the same remote helper pattern or concurrent Quick Assist FullControl sessions occurred.

Setup

edit

Setup

Windows Application event log collection must be enabled via the Elastic Agent System integration to ingest Application log events.

Rule query

edit

host.os.type:windows and winlog.channel:"Application" and event.provider:"Quick Assist" and event.code:"0" and
  winlog.event_data.param1:(*FullControl* and *setsharingmode*)

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Command and Control
- ID: TA0011
- Reference URL: https://attack.mitre.org/tactics/TA0011/
Technique:
- Name: Remote Access Tools
- ID: T1219
- Reference URL: https://attack.mitre.org/techniques/T1219/
Tactic:
- Name: Lateral Movement
- ID: TA0008
- Reference URL: https://attack.mitre.org/tactics/TA0008/
Technique:
- Name: Remote Services
- ID: T1021
- Reference URL: https://attack.mitre.org/techniques/T1021/

« Potential Redis CONFIG SET SSH Authorized Key Injection Potential AMSI Bypass via RPC Runtime Hooking »