Threat Actors Abuse Microsoft ClickOnce for Initial Access and Persistence
Threat actors are abusing Microsoft ClickOnce to gain initial access, execute malware, and maintain persistence through deceptive deployment manifests, .appref-ms shortcuts, scheduled tasks, and the ClickOnce update path.
What's new
- l2 CrowdStrike Part 2 added persistence, .appref-ms shortcut, scheduled task, and update-abuse details. Jun 21, 05:21 via crowdstrike
- l1 CrowdStrike Part 1 described ClickOnce deployment mechanics and abuse potential. Jun 20, 15:38 via crowdstrike
Threat actors are abusing Microsoft's ClickOnce deployment technology to run malware and maintain access on Windows systems. ClickOnce is attractive because it can be launched from a web link or .application file, needs only limited user interaction, and normally does not require local administrator privileges.
CrowdStrike's ClickOnce research was originally catalogued as multiple briefs. This page now tracks the ClickOnce activity as one brief and records the Part 1 and Part 2 coverage as updates rather than separate public entries.
Attack Chain
- An attacker prepares a malicious ClickOnce deployment and hosts the deployment manifest or associated application files.
- The attacker delivers the deployment path through phishing, a deceptive web page, a compromised site, or another social engineering channel.
- The victim launches the ClickOnce flow by clicking a link or opening a
.applicationfile. - Windows invokes ClickOnce components such as
dfsvc.exeto retrieve and execute the application. - The malicious payload runs under a legitimate-looking Microsoft process chain, reducing the visibility of the initial execution path.
- The attacker establishes persistence by placing an
.appref-msshortcut in a Startup location or by creating a scheduled task that launches the shortcut. - The attacker can use the ClickOnce update mechanism to refresh payloads or infrastructure when the application is launched again.
Impact
Successful abuse gives an attacker a low-friction execution and persistence path on Windows endpoints. The technique can bypass controls focused on traditional executable delivery, hide activity behind trusted process names, and keep a foothold alive through ClickOnce updates.
Recommendation
- Monitor execution of ClickOnce deployment files and unexpected child processes from
dfsvc.exe,rundll32.exe, and related Microsoft deployment components. - Alert on
.appref-msfiles written to user Startup folders and scheduled tasks that launch.appref-mstargets. - Restrict ClickOnce execution from untrusted locations where possible through application control or software restriction policy.
- Review outbound connections from ClickOnce-related process trees to unknown or newly observed infrastructure.
Detection coverage 2
Detect ClickOnce .appref-ms Persistence via Startup Folder
highDetects creation or modification of ClickOnce application reference files in a user's Startup folder.
Detect ClickOnce .appref-ms Persistence via Scheduled Task Creation
highDetects scheduled task creation that executes a ClickOnce application reference file.
Detection queries are available on the platform. Get full rules →