Identifies Windows Quick Assist sessions where the Quick Assist sharing mode is set to FullControl, enabling the helper to interact with the host desktop. The detection targets Windows Application logs from the Quick Assist provider (Application channel) with an event code of 0 and a winlog.event_data.param1 payload containing both FullControl and setsharingmode. Observed transitions often accompany a JSON payload that may include "result":"true" when consent is granted. This pattern can indicate IT help desk fraud, unauthorized remote access, or preparation for lateral movement. The rule maps to MITRE ATT&CK techniques T1219 (Remote Access Tools) and T1021 (Remote Services) under the TA0011 (Command and Control) and TA0008 (Lateral Movement) tactics. The integration requires ingesting Windows Application logs via the Elastic Agent. The rule has a medium severity and a risk_score of 47. Investigations should validate legitimate usage, correlate with QuickAssist.exe process telemetry, and assess any follow-on activity (new logons, service creation, or additional remote access) during or after the FullControl window. Remediation may include terminating the session, isolating the host if needed, and rotating credentials exposed during the session. Consider policy controls to limit Quick Assist usage on high-value hosts and preserve logs for forensic review.