Query Details

MDE Detecting Quick Assist Usage

Query

// MDE: Detecting Quick Assist Usage
// https://www.linkedin.com/posts/activity-7196570896965287936-jut0/

// SecOps can configure below custom KQL Defender detection to monitor Quick Assist usage in the organization

DeviceNetworkEvents
| where ActionType == "HttpConnectionInspected"
| where RemotePort == "443"
| extend ConnectInfo = todynamic(AdditionalFields)
| extend HttpHost = ConnectInfo.host
| where HttpHost == "remoteassistance.support.services.microsoft.com:443"

// MITRE ATT&CK Mapping

// This query can be associated with the following MITRE ATT&CK techniques:

// T1071.001 - Application Layer Protocol: Web Protocols
// Description: This technique involves adversaries using web protocols to communicate with compromised systems to avoid detection/network filtering by blending in with normal web traffic.
// Relevance: The query inspects HTTP connections on port 443, which is commonly used for HTTPS traffic, a typical web protocol.
// T1071.004 - Application Layer Protocol: DNS
// Description: Adversaries may use DNS to communicate with systems under their control within a victim network.
// Relevance: The query inspects connections to a specific host, which could be part of a DNS-based communication strategy.
// T1071.003 - Application Layer Protocol: Mail Protocols
// Description: Adversaries may use mail protocols to communicate with systems under their control.
// Relevance: While this query does not directly inspect mail protocols, the concept of inspecting specific protocols for communication is similar.

Explanation

This query is designed to help security operations teams monitor the use of Quick Assist within an organization by analyzing network events. Here's a simplified breakdown of what the query does:

  1. Data Source: It looks at network events on devices, specifically those where HTTP connections are inspected.

  2. Filter Criteria:

    • It focuses on connections using port 443, which is typically used for secure web traffic (HTTPS).
    • It further narrows down the results to connections made to the host "remoteassistance.support.services.microsoft.com" on port 443. This host is associated with Microsoft's Quick Assist service.
  3. Purpose: By identifying these specific connections, the query helps detect when Quick Assist is being used, which can be important for monitoring remote assistance activities within the organization.

  4. Security Context: The query is mapped to certain MITRE ATT&CK techniques, which are frameworks for understanding adversary behaviors:

    • T1071.001: It relates to the use of web protocols for communication, highlighting how adversaries might use normal web traffic to hide their activities.
    • T1071.004: Although the query doesn't directly involve DNS, it touches on the idea of using specific protocols for communication, which is relevant to DNS-based strategies.
    • T1071.003: Similarly, while mail protocols aren't directly inspected here, the concept of monitoring specific communication protocols is relevant.

In essence, this query helps detect and monitor Quick Assist usage by focusing on specific network traffic patterns, providing insights into potential security risks associated with remote assistance tools.

Details

Steven Lim profile picture

Steven Lim

Released: August 25, 2024

Tables

DeviceNetworkEvents

Keywords

DeviceNetworkEventsHttpConnectionAdditionalFieldsHostRemoteAssistanceSupportServicesMicrosoft

Operators

DeviceNetworkEvents|where==extendtodynamic

Actions

GitHub