This detection rule identifies DNS query requests initiated by the QuickAssist.exe process on Windows systems, specifically targeting the Microsoft Quick Assist endpoint used for remote assistance sessions. Quick Assist is a tool that allows one person to help another by controlling their computer remotely, which has been exploited by threat actors in social engineering attacks. This rule is essential for detecting potentially malicious use of Quick Assist, especially in contexts where attackers may impersonate a legitimate support session to gain unauthorized access or distribute ransomware. The detection is configured to monitor DNS queries where the image ends with '\QuickAssist.exe' and the queried name ends with 'remoteassistance.support.services.microsoft.com'. Given the nature of this detection, it is classified with a low alert level, acknowledging the potential for legitimate usage of Quick Assist in organizational environments that could lead to false positives. It is advisable for security teams to review and correlate these alerts with contextual information before taking action.