T1127.002 ClickOnce
Adversaries may use ClickOnce applications (.appref-ms and .application files) to proxy execution of code through a trusted Windows utility.6 ClickOnce is a deployment that enables a user to create self-updating Windows-based .NET applications (i.e, .XBAP, .EXE, or .DLL) that install and run from a file share or web page with minimal user interaction. The application launches as a child process of DFSVC.EXE, which is responsible for installing, launching, and updating the application.3
Because ClickOnce applications receive only limited permissions, they do not require administrative permissions to install.2 As such, adversaries may abuse ClickOnce to proxy execution of malicious code without needing to escalate privileges.
ClickOnce may be abused in a number of ways. For example, an adversary may rely on User Execution. When a user visits a malicious website, the .NET malware is disguised as legitimate software and a ClickOnce popup is displayed for installation.4
Adversaries may also abuse ClickOnce to execute malware via a Rundll32 script using the command rundll32.exe dfshim.dll,ShOpenVerbApplication1.1
Additionally, an adversary can move the ClickOnce application file to a remote user’s startup folder for continued malicious code deployment (i.e., Registry Run Keys / Startup Folder).65
| Item | Value |
|---|---|
| ID | T1127.002 |
| Sub-techniques | T1127.001, T1127.002, T1127.003 |
| Tactics | TA0005 |
| Platforms | Windows |
| Version | 1.1 |
| Created | 09 September 2024 |
| Last Modified | 15 April 2025 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1045 | Code Signing | Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.8 |
| M1042 | Disable or Remove Feature or Program | Disable ClickOnce installations from the internet using the following registry key: |
\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Security\TrustManager\PromptingLevel — Internet:Disabled47 |
||
| M1021 | Restrict Web-Based Content | Disable ClickOnce installations from the internet using the following registry key: |
\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Security\TrustManager\PromptingLevel — Internet:Disabled4 |
References
-
Microsoft. (2023, September 14). ClickOnce security and deployment. Retrieved September 9, 2024. ↩
-
Nick Powers. (2023, June 7). Less SmartScreen More Caffeine: (Ab)Using ClickOnce for Trusted Code Execution. Retrieved September 9, 2024. ↩
-
Ryan Gandrud. (2015, March 23). All You Need Is One – A ClickOnce Love Story. Retrieved September 9, 2024. ↩↩↩
-
William J. Burke IV. (n.d.). Appref-ms Abuse for Code Execution & C2. Retrieved September 9, 2024. ↩
-
William Joseph Burke III. (2019, August 7). CLICKONCE AND YOU’RE IN: When .appref-ms abuse is operating as intended. Retrieved September 9, 2024. ↩↩
-
Microsoft. (2023, August 4). Configure the ClickOnce trust prompt behavior. Retrieved September 9, 2024. ↩
-
Microsoft. (2023, March 9). ClickOnce and Authenticode. Retrieved September 9, 2024. ↩