Quick Assist Full Control Sharing Mode Enabled

Last updated 3 days ago on 2026-06-21

Created 3 days ago on 2026-06-21

About

Identifies when Microsoft Quick Assist sharing mode is set to FullControl on a Windows host. This grants the remote helper full interactive control of the target device and may indicate IT help desk fraud, unauthorized remote access, or lateral movement preparation.

Tags

Domain: EndpointOS: WindowsUse Case: Threat DetectionTactic: Command and ControlTactic: Lateral MovementData Source: Windows Application Event LogsLanguage: kuery

Severity

medium

Risk Score

MITRE ATT&CK™

Command and Control (TA0011)(external, opens in a new tab or window)

↳ Remote Access Tools (T1219)(external, opens in a new tab or window)

Lateral Movement (TA0008)(external, opens in a new tab or window)

↳ Remote Services (T1021)(external, opens in a new tab or window)

License

Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type

Query (Kibana Query Language)

Integration Pack

Prebuilt Security Detection Rules

Index Patterns

logs-system.application*logs-windows.forwarded*winlogbeat-*

Related Integrations

system(external, opens in a new tab or window)

windows(external, opens in a new tab or window)

Query

✄𐘗text code block:
✄𐘗host.os.type:windows and winlog.channel:"Application" and event.provider:"Quick Assist" and event.code:"0" and
  winlog.event_data.param1:(*FullControl* and *setsharingmode*)

Install detection rules in Elastic Security

Detect Quick Assist Full Control Sharing Mode Enabled in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).