Quick Assist – A Concealed Threat

June 6, 2020 | By Shai Mark, Security Support Engineer

 

Quick Assist – A Concealed Threat

Microsoft Windows 10 is one of the most used operating systems in the world. One of the features that got introduced in Windows 10 1607 and later, which most organizations are unfamiliar with, is Quick Assist. It is provisioned by default on the Windows client and even though, the name of the tool varies as per the Windows language, searching for “Quick Assist” within the Start menu, should locate the tool irrespective of the windows language settings.

 

Background and Communication Schemes

Quick Assist fundamentally is a remote access tool that allows a user to take control of another client remotely. It also allows a potential user to temporarily view or control another node, connected over a network or over the wire (internet). This tool is primarily an .exe file located at %windir%\system32\quickassist.exe.

All the Quick Assist traffic is client-initiated and uses port 443, for contacting the address remoteassistance.support.services.microsoft.com, and then receives the host IP that services the session with the user.

With Quick Assist, a user can either “Get Assistance” or “Give Assistance”. In either cases, from a workflow standpoint, a request initiator (giving assistance) can invoke multiple sessions simultaneously – one with each targeted client, whereas the recipient (getting assistance) can only have one remote session at a point in time. Quick Assist requests a code for identifying the users to match it with a session. This provides the recipient a code to let them allow connection to their devices. This also gives the request initiator an elevated privilege, to access the device.

 

Risks Associated with Quick Assist

As you may have gathered, with the above communication workflow for Windows Remote Assistance – there are multiple cyber risks, which could be associated with this capability.

For instance, a situation wherein a potential cyber criminal, forging their identity either as a Microsoft technician or an organization IT support, can influence a targeted user (victim) to access their Quick Assist tool and log in with a six-digit code, to fix an identified problem, providing them with complete access to their corporate system. A potential adversary can also craft a Remote Assistance invitation file with a malicious payload, for the targeted user, tricking the victim node to submit the content of specific files from known OS locations to a remote server, commanded and controlled by the adversaries.

Besides those scenarios, with Quick Assist, there were also few vulnerabilities identified associated especially corresponding to Data Exfiltration attack vectors. CVE-2018-0878 is a critical vulnerability that was identified as an information disclosure vector that could be used by adversaries to exfiltrate information (steal documents/files) and could be used to compromise the victim’s node.

 

Should you block or remove Quick Assist?

This feature could be utilized for support service based organizations that provide remote assistance to their managed service clients. For such limited organizations, this feature can be used with measures in place to monitor the traffic for security concerns, whereas for most of organizations this poses a threat to the business.

As adversaries or cyber criminals could simply target users via social engineering tricks, either by calling them or informing about their systems having viruses that may require remote cleansing – there are numerous ways this tool poses a threat to the organizations.

In such cases, there are a few steps that organizations can take to mitigate remote access attacks.

  1. As a best practice, remote access session shouldn’t be permitted off-network (outside corporate network) and from outside organization’s managed devices.

 

  1. Enable a continuous network traffic monitoring and analysis – With consistent and persistent security monitoring of the east-west and north-south traffic, any unwanted remote sessions could be blocked or prevented via adequate alerting.

 

  1. Block and remove operating system features not sanctioned by the organization and conduct hardening of the operating systems.

 

How to remove Quick Assist?

There are multiple ways to block Quick Assist – applications such as Applocker could be used, a Windows firewall could be configured or organizations can remove the tool from the operating system.

As it is an optional Windows operating system feature, removing it will not have any impact to the organization unless it is a business sanctioned application.

 

Visit our blog or Follow Us on Facebook Page for the latest news and insights on cybersecurity.

Stay Safe with TrustNet!