Trusted Developer Utilities Proxy Execution: ClickOnce

ID Name
T1127.001 MSBuild
T1127.002 ClickOnce

Adversaries may use ClickOnce applications (.appref-ms and .application files) to proxy execution of code through a trusted Windows utility.[1] ClickOnce is a deployment that enables a user to create self-updating Windows-based .NET applications (i.e, .XBAP, .EXE, or .DLL) that install and run from a file share or web page with minimal user interaction. The application launches as a child process of DFSVC.EXE, which is responsible for installing, launching, and updating the application.[2]

Because ClickOnce applications receive only limited permissions, they do not require administrative permissions to install.[3] As such, adversaries may abuse ClickOnce to proxy execution of malicious code without needing to escalate privileges.

ClickOnce may be abused in a number of ways. For example, an adversary may rely on User Execution. When a user visits a malicious website, the .NET malware is disguised as legitimate software and a ClickOnce popup is displayed for installation.[4]

Adversaries may also abuse ClickOnce to execute malware via a Rundll32 script using the command rundll32.exe dfshim.dll,ShOpenVerbApplication1.[5]

Additionally, an adversary can move the ClickOnce application file to a remote user’s startup folder for continued malicious code deployment (i.e., Registry Run Keys / Startup Folder).[1][6]

ID: T1127.002
Sub-technique of:  T1127
Tactic: Defense Evasion
Platforms: Windows
System Requirements: .NET Framework
Contributors: Wirapong Petshagun
Version: 1.0
Created: 09 September 2024
Last Modified: 17 October 2024

Mitigations

ID Mitigation Description
M1045 Code Signing

Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.[7]

M1042 Disable or Remove Feature or Program

Disable ClickOnce installations from the internet using the following registry key: \HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Security\TrustManager\PromptingLevel — Internet:Disabled[4][8]

ClickOnce may not be necessary within an environment and should be disabled if not being used.

M1021 Restrict Web-Based Content

Disable ClickOnce installations from the internet using the following registry key: \HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Security\TrustManager\PromptingLevel — Internet:Disabled[4]

Detection

ID Data Source Data Component Detects
DS0017 Command Command Execution

When executed from the command line, rundll32 is used to call the ClickOnce API functions (ex: rundll32.exe dfshim.dll,ShOpenVerbApplication file.appref-ms).

DS0011 Module Module Load

Monitor dfsvc.exe child process activity with unsigned module loads, as well as activity associated with dfshim.dll. Compare with baseline of ClickOne activity to whitelist applications with valid business use-cases.[2]

DS0009 Process Process Creation

Monitor for newly executed child processes of dfsvc.exe that may be indicative of malicious ClickOnce applications.

Process Metadata

Evaluate Event Tracing for Windows (ETW) telemetry associated with ClickOnce deployment execution.

References