1. Home
  2. Techniques
  3. Enterprise
  4. Trusted Developer Utilities Proxy Execution
  5. ClickOnce

Trusted Developer Utilities Proxy Execution: ClickOnce

ID Name
T1127.001 MSBuild
T1127.002 ClickOnce
T1127.003 JamPlus

Adversaries may use ClickOnce applications (.appref-ms and .application files) to proxy execution of code through a trusted Windows utility.[1] ClickOnce is a deployment that enables a user to create self-updating Windows-based .NET applications (i.e, .XBAP, .EXE, or .DLL) that install and run from a file share or web page with minimal user interaction. The application launches as a child process of DFSVC.EXE, which is responsible for installing, launching, and updating the application.[2]

Because ClickOnce applications receive only limited permissions, they do not require administrative permissions to install.[3] As such, adversaries may abuse ClickOnce to proxy execution of malicious code without needing to escalate privileges.

ClickOnce may be abused in a number of ways. For example, an adversary may rely on User Execution. When a user visits a malicious website, the .NET malware is disguised as legitimate software and a ClickOnce popup is displayed for installation.[4]

Adversaries may also abuse ClickOnce to execute malware via a Rundll32 script using the command rundll32.exe dfshim.dll,ShOpenVerbApplication1.[5]

Additionally, an adversary can move the ClickOnce application file to a remote user’s startup folder for continued malicious code deployment (i.e., Registry Run Keys / Startup Folder).[1][6]

ID: T1127.002
Sub-technique of:  T1127
Tactic: Defense Evasion
Platforms: Windows
Contributors: Wirapong Petshagun
Version: 1.1
Created: 09 September 2024
Last Modified: 15 April 2025
Version Permalink

Mitigations

ID Mitigation Description
M1045 Code Signing

Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.[7]
M1042 Disable or Remove Feature or Program

Disable ClickOnce installations from the internet using the following registry key:
\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Security\TrustManager\PromptingLevel — Internet:Disabled[4][8]

ClickOnce may not be necessary within an environment and should be disabled if not being used.
M1021 Restrict Web-Based Content

Disable ClickOnce installations from the internet using the following registry key:
\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Security\TrustManager\PromptingLevel — Internet:Disabled[4]

Detection Strategy

ID Name Analytic ID Analytic Description
DET0191 Behavior-chain detection strategy for T1127.002 Trusted Developer Utilities Proxy Execution: ClickOnce (Windows) AN0550

Abuse of ClickOnce applications where rundll32.exe invokes dfshim.dll with ShOpenVerbApplication or dfsvc.exe spawns unexpected child processes or loads unsigned modules.

References

  1. William Joseph Burke III. (2019, August 7). CLICKONCE AND YOU’RE IN: When .appref-ms abuse is operating as intended. Retrieved September 9, 2024.
  2. Nick Powers. (2023, June 7). Less SmartScreen More Caffeine: (Ab)Using ClickOnce for Trusted Code Execution. Retrieved September 9, 2024.
  3. Microsoft. (2023, September 14). ClickOnce security and deployment. Retrieved September 9, 2024.
  4. Ryan Gandrud. (2015, March 23). All You Need Is One – A ClickOnce Love Story. Retrieved September 9, 2024.
  1. LOLBAS. (n.d.). /Dfsvc.exe. Retrieved September 9, 2024.
  2. William J. Burke IV. (n.d.). Appref-ms Abuse for Code Execution & C2. Retrieved September 9, 2024.
  3. Microsoft. (2023, March 9). ClickOnce and Authenticode. Retrieved September 9, 2024.
  4. Microsoft. (2023, August 4). Configure the ClickOnce trust prompt behavior. Retrieved September 9, 2024.