2025-02-07
Microsoft Quick Assist, the built-in remote support tool in Windows 10, has become a popular target for threat actors leveraging social engineering tactics. While it serves as a convenient tool for remote assistance, its misuse can lead to significant security breaches, especially if not properly restricted within corporate environments.
The Risks of Quick Assist
Quick Assist operates over HTTPS (port 443), making it difficult to detect malicious activity through traditional network monitoring. Threat actors often exploit this tool to gain unauthorized access to corporate systems, bypassing security controls. The external IP of the attacker is masked by Microsoft’s RCC servers, leaving no trace in the victim’s device logs. This makes it challenging for security teams to identify and respond to such incidents promptly.
Mitigation Strategies
To prevent unauthorized access via Quick Assist, organizations should implement the following technical controls:
1. Intune Policy Configuration
Restrict Quick Assist using Intune policies. This ensures that the tool is disabled across all corporate devices.
Intune Policy Guide
2. PowerShell Command
Use PowerShell to remove Quick Assist from all user profiles:
Get-AppxPackage -Name MicrosoftCorporationII.QuickAssist | Remove-AppxPackage -AllUsers
3. Network-Level Blocking
Block the domain `remoteassistance-support-services-microsoft-com` on all systems that support URL filtering. This prevents Quick Assist from establishing a connection.
Best Practices for Remote Support
- Limit Remote Support Tools: Only one approved Remote Monitoring and Management (RMM) and remote support solution should be allowed in your organization. Unauthorized tools should trigger alerts in your XDR/SIEM/MDR systems.
- Monitor and Respond: Ensure your SecOps team is equipped to detect and respond to unauthorized remote support activities immediately.
What Undercode Say
Microsoft Quick Assist, while useful, poses significant risks if not properly managed. Organizations must adopt a proactive approach to secure their environments by restricting access to such tools and enforcing strict policies. Here are some additional Linux and IT commands to enhance your cybersecurity posture:
- Blocking Quick Assist at the Firewall Level (Linux)
Use `iptables` to block traffic to Microsoft’s RCC servers:sudo iptables -A OUTPUT -p tcp --dport 443 -d remoteassistance-support-services-microsoft-com -j DROP
2. Monitoring Network Traffic
Use `tcpdump` to monitor HTTPS traffic for suspicious activity:
sudo tcpdump -i eth0 port 443 -w quick_assist_traffic.pcap
3. Auditing Installed Packages
Regularly audit installed packages on Linux systems to ensure no unauthorized tools are present:
dpkg --list | grep -i quickassist
4. Enforcing UAC Policies
Ensure User Account Control (UAC) is enabled on all Windows systems to slow down potential threat actor activities.
5. Log Analysis with `grep`
Analyze logs for signs of unauthorized access:
grep "QuickAssist" /var/log/syslog
6. Automating Security Checks
Use cron jobs to automate security checks and alerts:
0 * * * * /path/to/security_script.sh
By implementing these measures, organizations can significantly reduce the risk of social engineering attacks leveraging Quick Assist. Always stay vigilant and ensure your security controls are up-to-date to combat evolving threats.
For further reading on securing remote support tools, visit:
Microsoft Quick Assist Security Guide
Intune Policy Configuration
References:
Hackers Feeds, Undercode AI
