Skip to content
Threat Feed
high advisory

Threat Actors Abuse Microsoft ClickOnce for Initial Access and Persistence

Threat actors are abusing Microsoft ClickOnce to gain initial access, execute malware, and maintain persistence through deceptive deployment manifests, .appref-ms shortcuts, scheduled tasks, and the ClickOnce update path.

What's new

  • l2 CrowdStrike Part 2 added persistence, .appref-ms shortcut, scheduled task, and update-abuse details. Jun 21, 05:21 via crowdstrike
  • l1 CrowdStrike Part 1 described ClickOnce deployment mechanics and abuse potential. Jun 20, 15:38 via crowdstrike

Threat actors are abusing Microsoft's ClickOnce deployment technology to run malware and maintain access on Windows systems. ClickOnce is attractive because it can be launched from a web link or .application file, needs only limited user interaction, and normally does not require local administrator privileges.

CrowdStrike's ClickOnce research was originally catalogued as multiple briefs. This page now tracks the ClickOnce activity as one brief and records the Part 1 and Part 2 coverage as updates rather than separate public entries.

Attack Chain

  1. An attacker prepares a malicious ClickOnce deployment and hosts the deployment manifest or associated application files.
  2. The attacker delivers the deployment path through phishing, a deceptive web page, a compromised site, or another social engineering channel.
  3. The victim launches the ClickOnce flow by clicking a link or opening a .application file.
  4. Windows invokes ClickOnce components such as dfsvc.exe to retrieve and execute the application.
  5. The malicious payload runs under a legitimate-looking Microsoft process chain, reducing the visibility of the initial execution path.
  6. The attacker establishes persistence by placing an .appref-ms shortcut in a Startup location or by creating a scheduled task that launches the shortcut.
  7. The attacker can use the ClickOnce update mechanism to refresh payloads or infrastructure when the application is launched again.

Impact

Successful abuse gives an attacker a low-friction execution and persistence path on Windows endpoints. The technique can bypass controls focused on traditional executable delivery, hide activity behind trusted process names, and keep a foothold alive through ClickOnce updates.

Recommendation

  • Monitor execution of ClickOnce deployment files and unexpected child processes from dfsvc.exe, rundll32.exe, and related Microsoft deployment components.
  • Alert on .appref-ms files written to user Startup folders and scheduled tasks that launch .appref-ms targets.
  • Restrict ClickOnce execution from untrusted locations where possible through application control or software restriction policy.
  • Review outbound connections from ClickOnce-related process trees to unknown or newly observed infrastructure.

Detection coverage 2

Detect ClickOnce .appref-ms Persistence via Startup Folder

high

Detects creation or modification of ClickOnce application reference files in a user's Startup folder.

sigma tactics: persistence techniques: T1547.001 sources: file_event, windows

Detect ClickOnce .appref-ms Persistence via Scheduled Task Creation

high

Detects scheduled task creation that executes a ClickOnce application reference file.

sigma tactics: persistence techniques: T1053.005 sources: process_creation, windows

Detection queries are available on the platform. Get full rules →