Abuse of ClickOnce applications where rundll32.exe invokes dfshim.dll with ShOpenVerbApplication or dfsvc.exe spawns unexpected child processes or loads unsigned modules.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Security | EventCode=4688 |
| Module Load (DC0016) | WinEventLog:Sysmon | EventCode=7 |
| Process Metadata (DC0034) | WinEventLog:Microsoft-Windows-Security-Mitigations/KernelMode | ETW telemetry indicating ClickOnce deployment (dfsvc.exe) launching payloads |
| Field | Description |
|---|---|
| TimeWindow | The correlation window for dfsvc.exe/rundll32.exe execution and subsequent module loads or child processes (e.g., 0–10 minutes). |
| KnownClickOnceApps | Whitelist of legitimate ClickOnce applications and paths. |
| SuspiciousChildList | Child processes considered abnormal when launched by dfsvc.exe or rundll32.exe. |