Skip to content

DET0191 Behavior-chain detection strategy for T1127.002 Trusted Developer Utilities Proxy Execution: ClickOnce (Windows)

Item Value
ID DET0191
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1127.002 (ClickOnce)

Analytics

Windows

AN0550

Abuse of ClickOnce applications where rundll32.exe invokes dfshim.dll with ShOpenVerbApplication or dfsvc.exe spawns unexpected child processes or loads unsigned modules.

Log Sources
Data Component Name Channel
Process Creation (DC0032) WinEventLog:Security EventCode=4688
Module Load (DC0016) WinEventLog:Sysmon EventCode=7
Process Metadata (DC0034) WinEventLog:Microsoft-Windows-Security-Mitigations/KernelMode ETW telemetry indicating ClickOnce deployment (dfsvc.exe) launching payloads
Mutable Elements
Field Description
TimeWindow The correlation window for dfsvc.exe/rundll32.exe execution and subsequent module loads or child processes (e.g., 0–10 minutes).
KnownClickOnceApps Whitelist of legitimate ClickOnce applications and paths.
SuspiciousChildList Child processes considered abnormal when launched by dfsvc.exe or rundll32.exe.