Skip to content
Threat Feed
high advisory

New Abuse of ClickOnce Technology: Part 1 - Inner Workings and Security Implications

Threat actors are exploiting Microsoft's ClickOnce technology to deploy malware, leveraging its user-friendly, minimal-interaction application distribution model for initial access and execution of malicious code without requiring administrative privileges.

CrowdStrike has observed a new abuse of Microsoft's ClickOnce technology, a deployment framework designed to simplify the distribution and installation of .NET applications. While intended for legitimate software distribution, ClickOnce's features — such as minimal user interaction, no administrative privileges requirement, and self-updating capabilities — make it an attractive vector for threat actors. This Part 1 brief details the internal mechanisms of ClickOnce, from application publishing to endpoint installation, laying the groundwork for understanding its security implications. Attackers can leverage these inherent design choices to spread malware, gain initial access, execute malicious payloads, and potentially maintain persistence on compromised Windows systems. This research serves as a foundational analysis before diving into specific weaponization methods in a subsequent Part 2.

Attack Chain

This brief (Part 1) focuses on the internal workings of the ClickOnce technology and its legitimate deployment journey rather than a specific observed attack chain. It describes the technical foundation that threat actors could exploit, with specific abuse scenarios and weaponization methods expected to be detailed in a subsequent publication (Part 2). Therefore, a concrete step-by-step attack chain of observed malicious activity is not provided in this document.

Impact

The abuse of ClickOnce technology facilitates the straightforward deployment of malicious applications, enabling threat actors to gain initial access and execute arbitrary code on target systems. Should an attack succeed, victims face potential data exfiltration, system compromise, and the installation of additional malware such as ransomware or espionage tools. The ability to install applications with minimal user interaction and without elevated privileges lowers the barrier for attackers, making a wider range of users vulnerable. While no specific victim counts or sectors are detailed in this part of the analysis, the widespread nature of Windows systems makes this a broad potential threat.

Recommendation

  • Enable comprehensive endpoint logging, specifically for process creation events related to ClickOnce deployment, to detect unusual activity.
  • Monitor for the creation or execution of .application files (ClickOnce deployment manifests) in unexpected user directories or network shares, as described in the brief.
  • Implement application whitelisting policies to restrict the execution of unsigned or untrusted ClickOnce applications.
  • Educate users on the risks associated with executing applications from untrusted sources, even those presented through a seemingly legitimate "one-click" installation process that leverages the ClickOnce technology.