Quick Assist, Quicker Hack: LOLBINs The Double-Edged Sword of Cybersecurity

The Double-Edged Sword of Cybersecurity

Hello Hacker! Today’s article is a bit different. This time, I’m diving into the world of LOLBINs (Living Off the Land Binaries) tools commonly exploited by attackers to bypass security measures. While these binaries are legitimate, much like a sword that can be used for both defense and offense, how they’re used is up to you.

Important Disclaimer

The Gateway to Exploiting the Workplace Vulnerabilities

You’re likely familiar with tools like RDP, VNC, SCCM, and others, which are typically associated with remote desktop access. These tools were initially created to simplify configuration tasks for employees within a company whether it’s managing VPN configurations, downloading executables, or performing other administrative tasks via remote access.

However, as companies move towards more robust solutions to reduce their attack surface and prevent exploitation of well-known vulnerabilities, there’s one persistent weakness that remains: the employee. They are, after all, the most critical vulnerability in any organization.

Attacker Can Impersonate IT Support Using Quick Assist

Imagine a scenario where an attacker sends an email to a user, posing as the company's help desk. In this email, the attacker asks the user to enter a code into a tool called Quick Assist. You may be wondering, what is Quick Assist exactly?

Quick Assist is a legitimate, built-in Windows app that allows users to remotely connect to another PC. It’s commonly used for troubleshooting and providing technical support by enabling the user to either share their screen or take control of the target device.

The attacker sends a code to the user, asking them to enter it into Quick Assist. With just this single code, the attacker can gain remote access to the user’s computer from anywhere in the world. This access is granted through one simple code and a legitimate, pre-installed executable making it extremely difficult to detect.

Leveraging Trust in Built-in Tools

This attack is effective because it leverages the trust that users place in legitimate, built-in applications like Quick Assist. The user has no reason to suspect anything unusual, as the tool is commonly used by IT professionals for remote support. By simply entering the code, the user unknowingly grants full access to the attacker.

Quick Assist: Your Remote Help, Unlocked!

• Session Duration: Quick Assist sessions have a fixed duration of one hour. After that, you'll be prompted for a 15 seconds to confirm if you'd like to continue. If no action is taken, the session will automatically disconnect. Performance may also decline with prolonged use.
• Location Restrictions: Works only between devices running Windows 10 or later and requires an internet connection for remote assistance.
• Permission Requirements: The person requesting help must grant permission for remote control or screen sharing.
• Security: Sessions are secured through encryption, with a unique security code required to establish a connection, ensuring privacy and safety.

Mess-Ups and Fix-Ups

• User Training: Regularly train employees to recognize and report phishing attempts and verify any unsolicited support requests.
• Monitoring & Alerts: Set up monitoring and alerting systems to detect unusual remote access activities and respond promptly.
• Limit the use of Quick Assist using Group Policy Configuration
• Enable Solicited Remote Assistance policy to restrict usage to authorized IT personnel.
• Specify authorized users or groups.
• Limit the use of Quick Assist using Access Control Lists (ACLs)
• Restrict Quick Assist executable access via ACLs.
• Grant full access to authorized IT personnel, deny others.

Byeizzz !!

I hope this article was both effective and informative. If you have any related recommendations, please contact me on LinkedIn linkedin.com