Windows 10: Quick Assist
Quick Assist was introduced in the 2016 Anniversary edition and is an upgrade to the Windows Remote Assistant utility that allows you to connect to another Windows 10 computer over the internet.
For remote support this is great, but it also enables the "Remote Tech Support" scam's without the need for the malicious party to trick or persuade the victim into downloading and installing a Remote Administration Tool or RAT.
The other problem with this is that it could be a way for attackers to get into corporate networks or pull the above scam on remote workers which could then be used to pivot into the company via a VPN.
Below is an example of the Quick Assist tool in action, as you can see it allows the attacker to click the UAC pop-up enabling admin rights.
Attacker: Work Group Computer
Victim: Domain Joined Computer
Both VMs are on different networksFrom Wikipedia the below connections are required
| URL | Mandatory |
|---|---|
| channelwebsdks.azureedge.net | yes |
| web.vortex.data.microsoft.com | unknown |
| gateway.channelservices.microsoft.com | unknown |
| remoteassistance.support.services.microsoft.com | yes |
| relay.support.services.microsoft.com | unknown |
| `*.lync.com | unknown |
whilst testing the below domains were connected to by both machines
api.support.microsoft.com
assets.onestore.ms
browser.pipe.aria.microsoft.com
channelwebsdks.azureedge.net
latest-swx.cdn.skype.com
noammeetings.resources.lync.com
rdprelaynortheuropeprod-1.support.services.microsoft.com
relay.support.services.microsoft.com
remoteassistance.support.services.microsoft.com
skypeconfiga.support.services.microsoft.com
webpoolbl20r04.infra.lync.com
web.vortex.data.microsoft.com
The executable can be found at C:\Windows\System32\quickassist.exe
Removing Quick Assist
Quick Assist can be removed via the DISM command
PS C:\Windows\system32> dism /online /Get-Capabilities | findstr /i "assist"
Capability Identity : App.Support.QuickAssist~~~~0.0.1.0
PS C:\Windows\system32> dism /online /Remove-Capability /CapabilityName:App.Support.QuickAssist~~~~0.0.1.0
Deployment Image Servicing and Management tool
Version: 10.0.19041.572
Image Version: 10.0.19041.572
[==========================100.0%==========================]
The operation completed successfully.Or using Powershell (reboot may be required)
Remove-WindowsCapability -online -name App.Support.QuickAssist~~~~0.0.1.0Group Policy
The below Group Policy settings only affect Remote Assistance and not Quick Assist ....
From some Googling it still appears there is no way to control Quick Assist from GPO, but using GPO you could block it completely using Applocker, Windows Firewall to block the EXE or removing the EXE with a login script.
Remote Support
If a remote support solution is required then something like a LogMeIn, BeyoundTrust or Dameware should be used where you can restrict and log access. There should also be a policy in place and well-known procedure used to initiate connections, with users able to confirm it is their IT Team and not a malicious attacker trying to connect.