Microsoft Quick Assist

where he focuses on uncovering the root cause of security incidents, and safeguarding organizations from emerging threats. With a career dedicated to leading top performing incident response teams, managing security operations, and conducting in-depth forensic investigation, Tyler has built a reputation as a trusted expert in the field. Outside of work, he enjoys immersing himself in RPGs and board games, combining strategy and creativity in his in both his p professional and personal life. And we would like to thank him for being a speaker this morning. So, thank you so much and I will turn it over to Tyler. All right. Thank you everyone. Uh could you tell that that bio was written by our marketing team? Um but uh yeah,

again, you know, I'm Tyler Hudac. Uh, I've been doing IR and forensics for a while. I've been in security for a while. Um, one of the things that I love is kind of diving into new things. Uh, you know, looking at the way that attackers are doing things and seeing how from a IR or forensics perspective, how how can I figure out what what happened? And that's what what this really uh talk is about is Microsoft Quick Assist which we'll we'll talk about, you know, what it is, why do we even care about it, how are techers using it, how does it work, and more importantly if you see something bad happening with it, what can we do about

that? What what can you figure out? Um I will say, excuse me, this is a work in progress. I'm still doing research on this. Um my next steps are basically to break open the executables and start doing uh reverse engineering on them to try to figure some things out. Um so I will likely you know be publishing more of this in the future. Uh this presentation is at my GitHub. Um there's another link at the end if if you all want to see it. But let's jump into it. So Quick Assist is an RMM uh at its core. Uh if you're not familiar uh RMM are remote monitoring and management tools. uh these are tools that allow

administrators to connect or uh manage or monitor endpoints so that they can easily do that within an organization. Um so for example we have our user here uh who needs help. Uh they call it and say hey can you connect to my computer to fix it? Uh if and and understand within an organization within an internal network yeah they could just use RDP to connect to it but what if that user is at a conference? What if they're working from home? What if they are halfway across the world at a Starbucks? The IT can't just RDP to that. And that's where RMM come in. So the RM uh the um the IT will use uh the RMM uh interface to connect

in to the system, monitor it, you know, manage it, you know, get a desktop uh uh get onto the desktop and so on. This is a very simplified uh view of RMM, they do a lot more. Um so you know when you think of things like Ninja RMM, Team Viewer, a bunch of others, CASSA, CASSA had a big breach a couple years ago, I think a year or two ago, um which led to a lot of bad things happening. Uh but you know RMM's uh this is what RMM uh typically uh can do. Microsoft Quick Assist is an RMM at its heart. Uh you have a sharer. This is the person who wants somebody to connect to their

system and you have the helper. This is the person who's going to connect to the system. These are Microsoft's terms uh from their documentation. So, uh in this case, uh if the sharer wants help, the helper will open up quick assist. They'll click a little button that says I want to help somebody and they will get this code. Uh the sharer, they they give this code to the sharer. Uh the sharer enters it in and then the a connection is made between the two. Uh we'll talk about where those connections happen in a little bit. uh and the helper is then able to see uh and uh access the desktop of the user. So, a little bit of history

because this is going to become important later on. Uh quick assist hasn't been around forever. Uh back in the Windows XP days, we had remote assistance and remote assistance basically was a front end to RDP uh for the most part um that you had to have uh 3389 uh opened up in order for remote assistance to work. Moving forward with Vista, uh it upgraded to have the nice little guey that we have on the right side. Um some additional features were added in. Quick assist wasn't introduced until Windows 10 Anniversary Edition. Remote assistance is still present on Windows 10 and Windows 11. It's just hidden. If you go to the start menu and type remote assistance, it will actually

pop up. You know, you you can still use it, but Quick Assist is what is normally used. Now, it is installed uh by default on Windows 10 Anniversary Edition and Windows 11 and beyond. Um we we'll talk about the differences there in a little bit. Um in November of 2021, Microsoft Intune remote help was introduced. This is basically upgraded quick assist. It's a businessfriendly version of business of quick assist. This will come into play later on. So remember that there is a pay version of quick assist. All right. So why are we even talking about this? Well, quick assist is being used by attackers to get into organizations. It's used in social engineering attacks. It has been used by

black basta for ransomware attacks as well as many other threat actors out there. Why? Well, because it's installed by default on Windows. If I am a random attacker and somehow social actually so you know this is how the the social engineering uh attacks pretty much happen. You have your sharer and you have your helper who is our hacker in this case. By the way, I love the PowerPoint cartoon figures. That that is one of my best my favorite features of the new PowerPoint. But sorry. Um so uh the helper who is our hacker uh says, "Hey, I'm IT support. Enter this code so I can fix your printer." because everybody's printer is you know always

broken. Um this normally uh or at least not normally but in a lot of cases this happens within teams. Uh a lot of organizations have teams misconfigured so that external uh users uh teams users or whatever you want to call them can message internal uh users uh and so an attacker will create an account like it support your organization name here uh and then will start messaging the uh the users uh and say hey I need you I need to connect to your computer to fix it. uh the uh user says sure no problem enters in the code and now the uh attacker has access to their system. Um this is being like I said this is being

used a lot by uh threat actors to get onto systems to install back doors and then you know leverage basically their initial foothold. So that was a highle overview of how quick assist works. Let's jump into it more a little bit more in depth. Let's I want to pull the covers back from quick assist a little bit just so because this is going to factor into how we can actually do things uh for from a forensics perspective. So quick assist does have limitations. Um first off the sharer uh must consent to letting the helper control their system. So when you connect via quick assist um the only thing if um you know the the user enters

in that little code the only thing that they can you can do at that point is see their system. You cannot control their system. There's a little button that uh has to be hit uh by the helper that says that they want to control the system and then a little popup appears on the sharer side that says do you want to allow the user to or so and so to um control your system. Um, so they do have to click through. I mean, we know users, they're going to click through that anyways. Um, if it is telling them, hey, we want we need to control your system, they're going to let that happen. But there is at least that consent that

needs to happen. Once that happens, the helper can control the system and they can chat with the user. There's like a little like text chat feature. There's a couple other minor things, but um like marking up the screen and and so on, but the helper cannot transfer native transfer files natively to the system. You cannot transfer files uh natively through quick assist. You cannot copy and paste through quick assist. And the helper cannot click through UAC prompts. If a UAC prompt happens, the sharer has to click through it. And of course, you know, if that happens, it is it is going to say, "Please click through this." and they're going to do that. Um, but the

helper cannot natively do this. I'm going to put a little asterisk on this. Um, because I really truly believe that you can actually do this because of the underlying protocols being used. Nobody has just, you know, gone through the motions to figure it out yet. So, where is Quick Assist? Um, Quick Assass will live in one of two locations depending on the version that you have. There are essentially two versions of uh Quick Assist that I've been able to find. Uh, the first lives in system 32. Uh, both executables are called Quick Assass.exe. Um, the one in system 32 is um installed by default in Windows 10 systems. I have not seen it outside of Windows 10 systems yet. To be

fair, I have not had a huge amount of um uh systems that I have been able to go through to find quick assist. Uh but for the most part, in my observations, system 32 means it was installed by default uh with a Windows 10. Uh there is also another version uh within program files, Windows apps, Microsoft Corporation.quickassist and then a version number, the version of quick assist followed by some more characters and so on. Um, this version is uh installed if you install it from the Microsoft Store because it's it is in the Microsoft Store or if you uh install it on a Windows 11 uh by default. Uh I've seen it installed in this location.

I have not yet seen uh it installed in system 32 in Windows 11 by default. Uh but that doesn't mean you may not find it there as well. That's right. Exactly. Yeah, good point. If they upgraded from Windows 10, you're right. then it would likely live within system 32. There is a difference between these two. Um I will point out those differences as we move uh through this because they become very important. Um so authentication, how do how does that work? Well, there there is a little bit of a authentication that does take place. Um the sharer obviously is already logged into their computer, so they've already authenticated through whatever means is necessary. The helper

does have to authenticate to their Microsoft account or an Entra ID in order to help somebody. So whenever in Quick Assist you want to help someone, you click that little help someone button. This pops up and then you have to sign in to Microsoft. Um yeah, we're we're going to circle back to a lot of these. I'm just trying to lay lay the uh the baseline for right now. So Quick Assist is running. what happens to all the processes in there? You know, how how does this all work? So, the user runs quickass assist. It launches quickass assist.exe. From there, Quick Assist uh launches uh a um a child process called called MS Edge Webb 2.exe and it will

have this parameter- web view-exe equals quick assist. um MS Edge web view too. Um or I think Microsoft calls it MS Edge web MS Edge web view. Um I'm not a developer. Um so I'm probably going to get this a little bit wrong, but it's essentially a way for programmers to um bring in web uh components like HTML, JavaScript, CSS, and so on into native applications. it it's kind of a way to allow developers to combine I'm gonna say the best of both worlds of having a native application but also having a web application. Um it basically allows them to do that. I I'm not again I'm not a developer but if you're familiar with

something like beautiful soup or um uh lib curl or things like that I I have a feeling it's very similar to this but it's used in a lot of places. If you have a uh EDR uh or a data lakeink, go through and look to see how many MS edge web view 2 processes you have. You're going to find a just immense number. But we know that this one is associated with quick assist because it does have the- web web view exe uh equals quickass assist.exe. From there, uh our original child process launches a number of other child processes of MS Edge web view. Um, these may or may not have the web view exe parameter on them. Some of them do,

some of them don't. So, how do you know that they're associated with quick assist? You kind of have to look at the parent child process in order to um to to figure that one out. All right. Um unfortunately programs executed in the QA s QA session the quick assist session are done under the normal Windows parent child process. It is not done under the quick assist or MS edge web view processes. So what I mean by this is when I was uh testing this out I connected to a system via quick assist. You can see the the quick assist processes there in the MS edge web view. Through that pro through that uh activity, I also launched notepad and

command.exe from the helpers uh computer uh on on the sharer system. They were not under the quick assist processes. They were under explorer.exe. Um I believe this is very similar to how things like team view uh team viewer works and so on. So this isn't necessarily a surprise. Um, but just to kind of hint at things to come, this also then makes it very difficult for us to say what processes the attacker executed versus the user. Uh, there's nothing to tie those two together. There are still ways that we can figure this out kind of. All right, network communications. So, um, Quick Assist uses RDP as its underlying protocol. Um, if you recall, remote assistant was basically RDP with

some stuff tacked on to it. That's kind of how quick Assist is. It is using RDP as the underlying protocol. However, it communicates over uh port 443 using TLS 1.2 and does not use 3389. Additionally, the sharer and helper never directly connect to each other. Everything is going through Microsoft servers. Um, specifically the first one that's connected to or the main one that's connected to is this remote assistance.sup support.services.microsoft.com. So again to kind of go through that session, helper wants to connect to the sharer. Um, all of the traffic between the two is going up through Microsoft's servers and then back down. Um, you might think, oh, well, I want to block this. Um, so I just need to only block

this uh this particular um website. Or if I if you want to allow it, you only need to allow this particular website. No, these are all of the MS uh or the quick assist um servers that you need to allow to block or uh get it to work. I I think actually if you were to just block remote assistance that would uh kind of kill the connection, but these are all the things that need allowed. This is only for quick assist. Microsoft has a whole other slew of websites that need to be open for MS Edge web view. So, it's it becomes a little bit cumbersome. Uh I guess on the allowing side if you only

want to allow those uh sites that are needed for it to run. In terms of network monitoring, this also becomes a little bit of a nightmare. But all right, I I know I've been kind of going through that fast. Uh any questions so far? Cool. Yes, we will definitely get into the auditing. Absolutely. Um, you can tell by my laugh it's bad. It's it's it's worse than normal Microsoft. It's it's Yeah. So, um, and I am trying to be a little positive in this, but it's bad. It's bad. Um, all right. So, uh, I taught the forensic, uh, class yesterday. Um, and one of the things that I like to teach is when you're going into a forensic

investigation, you should have questions in mind. Uh, because that's going to help you focus your investigation. Uh, and so I kind of sat down and thought, all right, well, if I'm going to do a quick assist, uh, investigation or an investigation that involves quick assist, what do I want to know? You know, forensically, what do I want to be able to determine? So, I want to be able to determine was this uh, system the helper or the sharer's PC? because you're going to have different artifacts based off of that. And I want to say too that 99% of the time, you will probably in an attack scenario, you are probably only going to have the sharers PC. The

helper PC is uh probably the attack is the attacker, which you're likely not going to have access to. So keep that in mind. But more importantly, when did the quick assist session start and when did it end? uh what are the time frames that I need to focus on for that session? Was consent given? Did the uh the sharer allow the helper to actually control their system or did they only let them view what was on the screen? Viewing what was on the screen could still be an issue depending on your environment. But you know, it's not as may not be as much of an issue um if consent was not given. What was the user ID utilized uh and the

IP address of the helper? Remember the helper has to log in to Microsoft in order to use this. Do we get the user ID of that user so that we can go and you know do some more research or get them taken down or or whatever. And can we figure out what the IP address of the helper is so that we can detect those malicious connections or you know find them. And finally what did the helper do? You know what was their behavior on the system? What did they access? What did they execute? Uh what did they tell the user to do? And and so on. So want to try to answer all of these questions.

So event logs. First off, if you have the system 32 version, there is nothing logged. Nothing in the event logs. Nothing in a random text file log file on there. There is literally nothing logged. Yes. Nope. Oh, the bitmap cache. Yes. But that is on the helpers PC which you don't have access to because it's Yeah. Right. Um yes there. So if you Google this and say where can I find quick assist logs you will eventually find a one of those like Microsoft answer question help sites where I think random people will just like answer the questions and get credits or or however that works. Somebody does say well you can go and look in the remote assistance

event logs. That is not true. That is for remote assistance, not quick assist. Those are two different things. Um, so unfortunately the system 32, I have yet to find anything actually logged in this case. Um, fortunately the Windows 11 or the Microsoft Store version, you do get some logs within the application log. They are under the quick assist source. So if you filter it, you filter it by quick assist uh as the the source. All the event ids are zero. Um, and there is no defined structure to any of these events. In fact, if you go into event viewer and pull these up, the the where the data usually is, it is blank. You have to go into the raw view of the

events in order to actually see any information. To me, this feels like somebody just randomly put in some debug and error messages to troubleshoot things and that it's a mistake, that it was never meant to do this. So, that means it could go away at any time. Hopefully, the opposite will happen where they'll get some more defined uh logs, but given what I've seen about quick assist, I kind of doubt that they don't know there. They they probably do not know it's there. Yeah. Um, this is another one of the reasons why I want to crack it open and look to see how these are being logged uh within the um within the binary. But

all right, so what do the event logs look like? Um this is the raw view. Uh you've got the event source, the event ID, um the event data. There is one that's uh logged that says quick assist.exe launched. This is the most normal of the uh the event logs. This one I actually think you can see it. Uh yeah, it does give you a time stamp. Um so you can see when quick assist was launched. Um so we've kind of answered you know part of our you know questions already.

Yes. Okay. Yeah. Yeah. So so you the process ID on here you could uh you know tie it back to the process ID on on the the system. Um I don't I don't think no I I don't have uh pictures of the error messages but there are error messages that appear uh in here as well when you start launching quick assist. Um I have not found them useful at all. They seem to be error messages of like DLS that loaded or did not load and then nothing else. So that they're really you know they they do give you an indication that quick assist was run and if if uh this um was not in the the logs. uh but

outside of that I have not found any use for them. The rest of the logs that you see um are basically these like pseudojson events that have both a request and a response. Um within them there are two there are a couple uh kind of uh important pieces. The first you see this uh context command request response that it that means that it's um the one of one of the or the that system which is you know we're probably talking about the sharer in this case um made a request uh or received a request um actually that I don't know how to figure out which one how that relates to to things um that's a I need to figure that

one out so sorry about that but in any case uh a command was created to um uh a request to begin sharing. Um so you can tell you know so basically sorry you have the command uh request response sometimes that's a little bit different and then you have the context of the command you have context response name begin sharing that's what is being requested. So in this particular case, this happens early on in the session where uh the helper is requesting from the sharer to begin sharing their screen. Not this is not a allow me to control your system. This is a let's begin that sharing session. Then you have that connection string which is a

lot of base 64 and you know other other stuff in there. Um sometimes that contains information, sometimes it does not. Overall looking at all the uh event logs in this format um not everything is logged. Um so everything that is done within the session is not logged and that connection string may be truncated. So there are times where you will see this connection string and then it just abruptly stops. There are times where there is readable information in there and then it just gets cut off. So something is truncating it. So this is the request. The response you know will have the response name you know this is going to be you know what was the original request command and

then um successful or additional data. I don't I do not have a screenshot of this um because I I I have not been able to confirm this yet. Um but there is one uh of these uh JSON requests that I think might have information about the helper system who is connecting in. However, that is limited to the operating system of the uh the system that's connecting in. There is no user ID information. There's no IP address information. There's no unique identifiers. Um, when I was testing it out, uh, it basically said a Windows 10 system and then it actually said like it it must have done something to look at the nick or something else because it knew that it

was a VMware system as well. Um, the reason I'm saying I have not confirmed this yet is because I have not seen this done consistently and I have not been able to correlate if it is in fact, you know, pulling this from the sharer system or the helper system or someplace else. So I I want to dig into that uh first. So there may be a little bit of information about the attacker system in the logs, but I have yet to confirm that, which is why it's not fully in here yet. Um, so there are a number of these log messages that are useful. So we can tell, you know, when quick assist was launched because we get that quick

assist launched uh message. Um, when the sharer shares their screen with the helper, you see that begin sharing command. Uh, and then you'll see a response as to whether or not it was successful. Um if the sharer gives consent to the helper you're going to see a request uh called set sharing mode and the context information is sharing mode being full control. So we do actually get get it logged when full control is requested. If there is a response that says success you know true then we know that you know the um the sharer did consent to giving the helper access to their system. Um if control is canceled or removed because the helper does I'm sorry the sharer does have the

ability to you know kill that uh control at any time you will see the set sharing mode uh set back to view. So you either have full control or view by default it goes into view because again when you first connect the helper does not have the ability to access that or control the system. uh when sharing stops you will get a uh request uh name of end sharing and then when quick assist is closed you will see something that says send app closed. So we do get a little bit of information remember this is only in the Windows 11 store version the Windows 10 default if it's in system 32 you will get none

of this. Yes.

I have not seen that yet. So, the way that I tested this out, um, and and I'm not I'm not going to say that my testing methodology isn't flawed. Um, but the way that I tested this out is I had two systems, one a Windows 11, one Windows 10, and then I connected back and forth between the two, and then I basically ran uh some triage software on it to pull everything out, and then analyzed everything that happened between the times that I was doing this. I did not see uh those popup um event logs anywhere. Um that doesn't mean I couldn't miss them. Uh but I definitely did not.

Okay.

Gotcha. I will have to dig into that more. Um, I don't recall seeing that, but again, um, I'm still kind of this is kind of a work in progress. Um, I'm actually hoping now that I do find that now that you brought that up. Um, but for the most part, at least talking event logs, this is what you get. Um, yeah, unless of course quick assist crashes and then you'll have all the the crashing uh, you know, logs, but you know, that's probably not going to happen. We Yeah, well, you're right. It probably does happen a lot, but in a forensic investigation, I don't get that lucky. All right, but you know, the user had the helper had to authenticate,

right? Remember the the helper authenticates to um Microsoft in order to see this. So that surely means that a somewhere a authentication event a security 4624 is logged, right? No. Um nothing nothing is logged. Um, I'm sure on Microsoft's side it is. And if you were lucky enough that to have the helper be an IT user that was compromised and they logged into their Entra ID, then you would have those logs. But by default, you know, we have some random attacker on the internet probably connecting in through a VPN through quick assist and so on. We have no authentication logs. the the most that we can tell that I've seen so far is maybe we can tell their operating

system. Um what about file artifacts? Well, on the sharer side, there are actually a number of file artifacts that that get uh created and so far this has been for both the system 32 and the um the the Microsoft Store version. Uh first off in um program data packages the quick assist directory SID the user SID uh system app helium uh you're going to have some files who are that are dropped in there um or at least that directory is created um the SID that is in the directory structure this is going to be the user who ran quick assist on that computer. So if you didn't know um you probably do but if you did not know

then you now have the the SID of the user. There are two other uh directories within um first off that particular users directory uh to uh that same very similar directory structure to Helium that actually drops a registry file in there. Um I think it's actually a userclass.dat although I could be wrong. It's it's either NT user or userclass.dat. I don't remember which one. Um same thing for the next directory where it's uh instead of the users directory it's in the all users directory and the SID is in that directory structure as well. Unfortunately, so far I have not found anything useful within those registry files. And I have gone through and you know made sure that the helper was

opening files, executing programs, doing things that I would expect to trigger something in a registry file and nothing is logged into those. You can use those registry files though, the date and time stamps on them or within the the last right timestamps of the registry files to get an idea of when quick assist was run, but it's not going to give you any information as to what was done in that session so far. Again, I don't know why these are created. Um, there's a lot of unknowns with the why for some of these artifacts, just like with a lot of forensics. Um,

Yes. Yes. Yeah. Yeah. We um that's in a slide coming up, but yes, if yes, you you can timeline when the execution artifacts happen. You just cannot tie them to specifically to the quick assess session. Yes, we we do get something that tells us where the session ends. I I know where you're going with this. uh we will definitely talk about that here in another slide. So all right um this is probably the the best uh file artifacts that are dropped. So remember that MS Edge web view uh is based on MSS Microsoft Edge which is uh a chromiumbased browser um in this app data local temp remote help EB web view uh directory on the sharer side. So,

it's going to be in their their users uh app data local temp. You will find a bunch of um uh Chromium uh browser files. So, the history file, cookies file, you know, things that you would expect to find in a browser um browser artifacts, you're going to find in this directory. This is great because we can then analyze this. It does have information in it. Uh my preferred tool is hindsight for Chromium browsers. Is yeah, it is amazing. They just came out with a new version which does a ton of stuff more. Um, so you can actually find some good information in here. Particularly what um I found useful and again I'm still kind of digging through

all this is uh within various uh u a number of the files I think mostly in the history file you will see access to the remote assistance.ssup support.services.microsoft.com site uh that does get logged into the history. Um the first instance of this will occur shortly after quick assist is launched. So as soon as Quick Assist is launched, it makes that connection out to that Microsoft site that does get logged. Um it's it's not exactly when Quick Assist was launched. You probably have to, you know, look at other artifacts like that quick assist launched uh uh event or prefetch or you know any other artifacts. Um but you you can at least correlate it here. Um you will also see

the um access to that URLs share. This happens after screen sharing is enabled or the sharing code is entered. So when that initial connection happens, the user enters in that sharing code to share their screen to the helper, the um the browser or the I guess MSG web view uh is going to connect to the slashcreen share uh side or uh page. And then finally when the sharing connection has been closed, it's been completely shut down, you will see a connect to statusended. I have not found anything within this artifacts to state uh consent if consent was given or chat logs um because remember there is some chat there. I have I actually have not

found chat logs anywhere yet. Um to be fair I wasn't specifically looking for that. That wasn't a top priority of me. Remember this is you know my work in progress. Um but the these are the the biggest things that you're going to find win here. Again this might change. Um, this one does not feel like a mistake unlike the the event logs. Um, there's going to be some things that um that may continue to appear in here or may kind of eek themselves out, but this is probably, you know, if you're going to grab something, this would probably be the best thing to to grab. RDP artifacts. Remember that RDP is the underlying protocol here. Um,

unfortunately, no RDP logs are created on either side. So, um, if you're I know if if you're familiar with the way that RDP works, um, there are some event logs the Microsoft-Winds-Chiminal Services logs. There's, I think, like eight to a dozen of them that contain a lot of information. Fortunately, nothing is logged in these. Um, on the helper side, you do get the RDP cache. Um, this can be uh if you're unfamiliar with this artifact, it's a really cool artifact which um basically uh RDP will cache the screen uh screenshots of the screen, break it up into I think like 64 or a bunch of different uh little images that you then have to play uh you know, yeah,

puzzle. Yeah, the RDP pieces. Yeah. Yep. So, there there are tools that you can use to kind of help stitch it back together. Um yeah. So, the thing to understand though, this is not on the sharer side. This is not the victim side. This is the attacker side, which you probably don't have access to. Yes exactly. So, this does appear in some cases. Uh, go ahead and look for it, but you're probably not going to get it. Um the registry side um I have seen that in the registry in uh particular the user's registry the user who ran this uh in this really really long uh key there is a value called was ever activated which

gets set to one the first time quick assist is run. Um I think it will also like every time you run it it will go in and probably reset that to one. So the last uh write time looks uh will the last modify time for that key is going to show you the last QA execution. So if you lost all other artifacts you might get lucky and see this and then actually you know if you didn't have the event logs and the user says I never connected to quick assist the registry their registry is going to you know say otherwise. There is also under that key this ham au app v1 lu with these values

pct and ptt that have some hex strings in there. I don't know what I haven't figured out what those are. I think those are related to Microsoft applications. I need to hit up a developer at some point to figure out, you know, what these are because I when you Google that uh that key, the ham aui so on, it shows up in other uh apps. Uh so it it's definitely something common that's happening. I just have not figured that out yet and my Google skills did not figure it out either. So all right. All right. Um execution artifacts. So uh you asked about this. Remember that you know when we go into the quick assist session you when I

launched notepad when I launched command.exe exe or anything else that the attacker would launch. It was under the normal parent child process of, you know, explorer. Because of this, all executed processes are going to be under the sharers ID. You know, the the person who's lo the victim who's logged into their computer. Unfortunately, there's nothing in the process execution logging that is going to show what was executed by the helper. So if you have 4688 turned on or sysmon process execution logs or your edr logs there is nothing in there that I have been able to find yet that says oh this was connected this was executed from a quick assist session the session the loon ids or the loon

sessions are the same as the user the um the desktops are the same as the user it's as if the attacker was physically sitting next to the um the victim in this case however that doesn't mean we can't figure this out. So, the way that you would do this uh or the way that I would recommend doing this is you first find the start of the quick assist session. Um when when did this session start? We can do that through a number of different ways. We can look at the event logs. We can look at the application event log for quick assist. Um the MS Edge uh history files that I just talked about, those have that

information in there as well. You can look at prefetch. You can look at the creation time of all the file system artifacts. If you have network activity being logged, you can see when that system goes out to that Microsoft site. So there are multiple ways that we can figure out when the QA session started. Then we need to figure out when did it stop. We have this in the application event log, the uh history files. We can look at the last modification date of some file system artifacts. You can look at network activity and so on. So there are ways that we can do this. From then go back to the basics of forensics. look

for evidence of execution artifacts that occur between those times. So we've got prefetch, we've got scrum, we've got 4688 in sysmon if they're turned on. There are multiple places in the registry, amcache, user assist, other places. There are lots of places in here that we can look to see what was executed during those two time frames. And then we figure out, you know, look at the context of that. And I know we don't like to do this, but talk to the user, you know, ask them what the attacker did. Sometimes they'll actually be truthful with you. Um, but it's very obvious that if you have some random HR person who this happened to, did they

actually execute PowerShell? That's probably unlikely. It was probably the attacker. Um, and so you can kind of dig into it and look at the context of what was being run um based off of, you know, what was happening in there. Um, the reason I'm and the reason I'm talking like this is from a forensic perspective, at least my perspective, I want evidence from the system that tells me who did what. Um, I'm not going to rely on the attack or the user to tell me that. I'm not going to guess at that. So, the more that I can prove based off of artifacts, I'm going to do that. And that's why I'm saying don't just assume

that if PowerShell was run that it was the attacker. very well could have been the user depending on who the user is. But this is how I would go through and and figure this stuff out. Um network artifacts. Uh yeah, so it everything goes through Microsoft servers. Um it is encrypted traffic. Uh you may be doing uh TLS inspection in your environment. Probably not based off of my experience, but everything's going through Microsoft servers. So you may see when the activity occurred, you may get the number of bytes that were transferred back and forth, but that's about a limit um that you can do. Microsoft might have the data um but they only keep that for I think three

days. Um and good luck getting that um because everything is stored on Microsoft Server. They say that they they even say in here, it's hard to see, but on their web page it says no logs are created on either the helpers or sharers device. Um, and that Microsoft keeps an abbreviated version of the helper's name and no other information about them. So, if you did want to find out who logged in to this to help your help your user, um, Microsoft has that information, but I have no idea how you'd get that outside of a court order or a subpoena or whatever you need and good luck getting that within 3 days. Um, so going back to our forensics

investigations, we can answer some of these questions. Um, is the helper is this the helper assurance PC? Yes, we can do that. uh when did the QA uh session start or end? We can do that. Was consent given? There are some artifacts that tell us that the user name, ID or IP address of the helper. Unfortunately, we cannot do that. Um that is I have yet to find something that gives us that information. What did the helper execute or access? We can kind of determine that uh based off of that procedure that I showed. Um but there's nothing that gives us that direct evidence. So, you're going to have to do a little bit of investigation

to try and figure that out. I only have a couple minutes left, so I'm going to go through this pretty fast. Um, prevention. So, what if you don't want quick assist to run in your system? Um, good luck. Uh, there are no native access controls for quick assist. Nothing. It either runs or it doesn't. Um, unless you buy Microsoft in tune remote, which is that business version, then you get all the logging and all of the access controls. Um, of course, uh, like Microsoft has done in the past, they put the security behind a payw wall. Um, yeah. So, um, yeah, I I'll just move on. But there are no access, there are no native access controls for

quick assist. There are some things that you can still do. You can block access to the remote assistant site. This is also going to block access to MS in tune remote help, but if you don't use that, who cares? Um, you can also uninstall or delete quick assist. Remember, this is installed on versions or I'm sorry, this is installed by default on Windows 10 and Windows 11. You can go through and delete that or uninstall it. If you do need it, upgrade to the Microsoft Store version so you at least get that weird somewhat logging. You can also deny list this and that's probably the best thing that I would do. In fact, I would recommend,

you know, if you're not going to use it, uninstall and make sure it's deleted and then denylist it. Uh, and actually, I recommend doing all these. um deny listing it will at least allow you to, you know, if the user decides to put it on or the attacker kind of, you know, tricks them to to putting it on uh back onto the system, this will at least prevent it from from running. Um and then monitor for execution. That's kind of hard to do though. Um and the reason I say that is um the the company I work for, we we have a sock, we have a big data lake. Um, I went back over the last

roughly 30 days looking for any place where quick assist or the MSG web view processes were running for quick assist um, and found over 2,000 matches amongst all of our clients uh, within uh, 30 days. I don't know how many of these uh, our clients actually use Quick Assist officially. It's probably a very small amount. So, it's probably getting executed a lot more times than we expect it to. Um I have that's another thing that I'm trying to dig into is what naturally within Microsoft would launch these processes. Um so you but you can still monitor for the execution. Um some resources uh the two that I want to point out really fast. Well actually the first one is a

gentleman who who did some of this research uh already uh he was the first one to I think published anything uh for this or I wanted to give him credit. The next two, LOL RMM and Strontic Encyclopedia, I actually found as I was doing this research. These are really cool sites which uh list out all the different RMMs and uh the all the programs in system 32 and what they do so that you can kind of whitelist that that activity. Oops, sorry. Um all right, so that's it. Uh the uh presentation is at that URL. Um I we may have time for like one or two questions really fast. Yes. No. All right. We We don't have time for

questions. Oh, I'm sorry. Oh, sorry. So, I have tried to remove the Windows 11 version of Quick Assist to varying levels of success. Okay. Um, I've tried doing remediation scripts through Intoune, both running in the system context as well as the user context, and I I just am having a really hard time actually getting the Windows 11 version uninstalled, and I'm wondering if you have any recommendations. I don't actually, so I have not gone through that.

Yeah, that that was going to be my suggestion is yeah, use use like a EDR or your your app uh deny listing to to block it. At that point, you you the the problem with uninstalling it is at some point you're going to upgrade Windows and it's going to appear back. So, you you have to go through that extra step.

has

now

check.

Any other questions? Yes. Does the um the tool have a silent running capabilities? Not that I have seen. So that's a great question. It's very in yourrface which is why that this is usually happening within a uh social engineering attack. Um, I have not yet seen a way to run quick assist silently in in the background. When you run it, pop up right there. I mean, granted, you know, we know how users are. Uh, but um, yeah, the there's I have not yet found a silent running thing. The the one thing I will say though is um I I mentioned this at in the front. RDP is the native protocol. RDP does allow file transfers and copy and paste.

So I don't know where where that blocking is happening within quick assist. If it's if it's somewhere in the like the guey front end that means that we can probably back door through it and still uh do copy and paste. Nobody has just as far as I know nobody has figured that out yet. I'm more worried about having right I have not yet seen that. Um, I'm caveing that by I have I have not yet seen it. Um, I that doesn't mean it's not happening. So, kind of like off of that, so after they're connected, it's not possible for them to like run programs in the background. Oh, no. It is. Okay. So like so um typically what's going to happen

here in the social engineering attack the uh the bad guy is going to you know get consent to control the the desktop. They're going to open up a command prompt and they're going to use the browser or something else to curl or whatever else to download programs and put their back door on the system. So at that point think of it as just their way to get an initial foothold on the system. They're going to load a secondary back door which allows them to do things silently. Okay. Yeah. Yes. All right, we got time for one more. So, quick assist seems like one of these uh products like Team Viewer you've mentioned um and and we recognize that

it's an issue where a lot of people especially vendors are using these remote access tools and we're trying to come up with a policy or procedure on how to grapple with all of that. Um, do you offer anything other than blocking because a lot of times, you know, we they come back and they say they need it, right? Yeah. I I guess, you know, I would for first off, if they say they want to use quick assist, tell them no because there's no logging and access control around that, you know, at least make them up to upgrade to the intune remote help because that gives you at least something. Um, you know, we talked about the the technical ways to do this.

Um uh on the policy side I mean if you have a stand come up with a standard way that you will allow uh vendors to do this to do remote uh connections and make them use that and make sure that it's something that has auditing that has access control and and so on in it. Um but sometimes it comes down to contracts and policies to force them to use what you want them to use. So all right I think that's it. Uh, if anybody has any questions, I'll be around. But thank you.

All done.