Threat Actors Abuse ClickOnce Technology for Initial Access and Persistence
Threat actors are leveraging Microsoft's ClickOnce application deployment technology to achieve initial access, bypass traditional security controls, and establish persistence on target systems by convincing users to execute malicious `.application` files which then deploy malware via legitimate processes and can be updated by attackers.
Threat actors are increasingly exploiting Microsoft's ClickOnce technology, as highlighted by CrowdStrike, to facilitate initial compromise and maintain long-term access within victim environments. This abuse, documented in June 2026, capitalizes on ClickOnce's user-friendly deployment model, allowing malware to be executed with minimal user interaction by simply clicking a misleading button or .application file. Attackers benefit from the technology's ability to operate without elevated privileges and to execute malicious payloads within legitimate Microsoft processes (rundll32.exe, dfsvc.exe), thus bypassing common defenses and flying under the radar of traditional security tools. Furthermore, ClickOnce's built-in update mechanism allows attackers who control the deployment server to remotely update their malware, ensuring persistent access and enabling dynamic command and control. This represents a significant vector for delivering and maintaining sophisticated threats.
Attack Chain
- Initial Access / Delivery: Threat actor crafts a social engineering lure (e.g., phishing email, malicious link on a website) prompting the user to interact with a seemingly legitimate ClickOnce application.
- User Execution: The user clicks a misleading button or opens a malicious
.applicationfile, initiating the ClickOnce deployment process. - Payload Execution (Legitimate Processes): The malicious application's payload is executed by legitimate Microsoft processes such as
dfsvc.exeandrundll32.exe, making it appear as benign system activity. - Defense Evasion: Execution within legitimate process trees and the perceived legitimacy of the ClickOnce UI allow the malicious payload to bypass traditional endpoint security controls and user scrutiny.
- Persistence Establishment (Startup Folder): The attacker configures the deployed ClickOnce application for persistence by placing an
.appref-msfile in the user's Startup folder (e.g.,%AppData%\Roaming\Microsoft\Windows\Start Menu\Programs\Startup). - Persistence Establishment (Scheduled Task): Alternatively, the attacker creates a scheduled task to regularly process the
.appref-msfile, ensuring repeated execution of the malicious application. - Command and Control / Update: Utilizing ClickOnce's built-in updating mechanism, the attacker, by controlling the deployment server, pushes updates to the malicious application, changing C2 addresses, moving laterally, or performing other post-exploitation actions.
- Impact: The attacker gains sustained remote access, enabling further compromise such as data exfiltration, lateral movement, or deployment of additional malware (e.g., ransomware).
Impact
The abuse of ClickOnce technology allows threat actors to compromise standard user accounts, which constitute the majority of enterprise endpoints, without requiring administrative privileges. Successful exploitation results in the deployment of persistent malware that can evade traditional security defenses due to its execution within legitimate Microsoft processes. This grants attackers continuous remote access, enabling them to update their malicious tools, move laterally within the network, steal sensitive data, or deploy destructive payloads such as ransomware. Organizations face significant risks of data breaches, operational disruption, and financial losses if these attacks are not detected and mitigated early.
Recommendation
- Deploy the Sigma rule "Detect ClickOnce .appref-ms Persistence via Startup Folder" to your SIEM and tune it for your environment.
- Implement application control policies to restrict the execution of unsigned ClickOnce
.applicationfiles or those from untrusted sources. - Enhance email and web gateway protections to block
.applicationfile types at the perimeter and filter suspicious URLs that could host malicious ClickOnce deployments. - Enable comprehensive logging for file creation and modification events, particularly within user profile directories like
%AppData%, to activate the rule above and identify unusual persistence mechanisms. - Educate users about the dangers of unsolicited software installations, including those initiated by clicking web links or attachments, even if they appear to originate from legitimate platforms.
Detection coverage 1
Detect ClickOnce .appref-ms Persistence via Startup Folder
highDetects the creation or modification of a ClickOnce .appref-ms file within a user's Startup folder, indicating potential persistence.
Detection queries are available on the platform. Get full rules →