S1209: Quick Assist
Quick Assist is a remote assistance tool primarily for Microsoft Windows, although a macOS version also exists. Quick Assist allows for remote screen sharing and, with end user approval, remote control and command execution on the enabling device.[1][2]
Analyst context for executives and security teams
Quick Assist is a legitimate remote assistance tool for Windows and macOS that can enable screen sharing, remote control, and command execution after end-user approval. Its business significance is not that the tool is inherently malicious, but that trusted support workflows can become a security blind spot when users are socially engineered into granting access.
Executive priority
Leaders should treat Quick Assist as a governance and monitoring question: who is allowed to provide remote assistance, how users verify support requests, and whether SOC and IR teams can reconstruct remote-control sessions. This matters for operational resilience because misuse of an approved remote support channel can bypass assumptions about malware-only access and create audit, identity, help desk, and incident-response evidence gaps.
Technical view
ATT&CK does not provide detection guidance for S1209, so teams should validate coverage around the supplied behaviors: Quick Assist execution or use on Windows and macOS, user-approved remote control, screen sharing, command execution on the enabling device, and related use of Web Protocols for command-and-control plus Screen Capture and Video Capture collection behaviors. Because the tool itself is legitimate, detection should focus on context: unexpected users, unusual timing, unmanaged devices, help desk impersonation patterns, remote-control activity followed by privileged actions, or collection-like behavior.
Likely telemetry
- Endpoint process execution and application usage records for Quick Assist or equivalent remote assistance components
- Operating system logs showing application launch, remote assistance session activity, user approval prompts, or remote-control enablement where available
- Network telemetry for web protocol traffic associated with remote assistance sessions
- Identity and access logs showing the signed-in user, privilege changes, or administrative actions during or after a session
- Help desk, ticketing, chat, phone, or user-reporting records that can confirm whether a support request was legitimate
Detection direction
- Build allowlist-aware detections: Quick Assist use may be normal for support teams, so prioritize anomalies by user role, device group, time, geography, and absence of a matching support ticket.
- Correlate Quick Assist activity with subsequent command execution, privilege use, data access, or configuration changes on the same endpoint.
- Review web protocol monitoring assumptions; remote assistance traffic may blend with common HTTPS activity and may not be visible if inspection, proxy logging, or endpoint network telemetry is limited.
- Tune for social-engineering context, such as a non-support user initiating or approving remote assistance shortly before suspicious administrative activity.
- Validate visibility separately on Windows and macOS because the object lists both platforms and telemetry sources may differ.
Mitigation priorities
- Define policy for when Quick Assist is permitted, which users or support teams may initiate or receive assistance, and what verification steps are required before users approve control.
- Train users and help desk staff to verify remote assistance requests through established channels, especially when a caller asks the user to launch a tool or approve control.
- Restrict or manage remote assistance tooling where business need is limited, using operating system, endpoint management, or application control capabilities appropriate to the environment.
- Require support workflows to create auditable records, such as tickets or approvals, so SOC and IR teams can distinguish legitimate assistance from suspicious use.
- Ensure incident response playbooks include collection of endpoint, identity, network, and help desk evidence around remote assistance sessions.
Analyst notes and limits
The object has no ATT&CK tactic assignment and no official detection text. The strongest relationship-driven context is that Quick Assist uses Web Protocols, Screen Capture, and Video Capture, which frames likely SOC validation around remote-control communications and collection visibility rather than malware signatures. Microsoft references supplied by ATT&CK include product documentation and reporting about misuse in social-engineering attacks, but local policy and telemetry are required to determine whether any given session is authorized.
This take is limited to the supplied ATT&CK fields, external references, and relationships. It does not establish that Quick Assist is malicious, that any specific organization is exposed, or that detection is guaranteed. Detailed event IDs, process names, network destinations, and control mechanisms are not provided in the supplied object and must be confirmed from local Microsoft, endpoint, and network documentation.
Quick Assist
Quick Assist is a remote assistance tool primarily for Microsoft Windows, although a macOS version also exists. Quick Assist allows for remote screen sharing and, with end user approval, remote control and command execution on the enabling device.[1][2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1071.001 | Web Protocols Sub-technique | Quick Assist communicates over TCP 443 via HTTPS to a remote session server, under which RDP traffic is transferred.CitationMicrosoft Quick Assist 2024 |
| Enterprise | T1113 | Screen Capture | Quick Assist allows for the remote administrator to take screenshots of the running system.CitationMicrosoft Quick Assist 2024 |
| Enterprise | T1125 | Video Capture | Quick Assist allows for the remote administrator to view the interactive session of the running machine, including full screen activity.CitationMicrosoft Quick Assist 2024CitationMicrosoft Storm-1811 2024 |
Groups, software, and campaigns
G1046: Storm-1811
Storm-1811 is a financially-motivated entity linked to Black Basta ransomware deployment. Storm-1811 is notable for unique phishing and social engineering mechanisms for initial access, such as overloading victim email inboxes with non-malicious spam to prompt a fake "help desk" interaction leading to the deployment of adversary tools and capabilities.[1][2][3][4]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 22489f2a8049… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Microsoft Storm-1811 2024
Microsoft Threat Intelligence. (2024, May 15). Threat actors misusing Quick Assist in social engineering attacks leading to ransomware. Retrieved March 14, 2025.
Open source URL -
[2]
Microsoft Quick Assist 2024
Microsoft. (2024, September 4). Use Quick Assist to help users. Retrieved March 14, 2025.
Open source URL -
[3]
mitre-attack S1209Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.