New Abuse of ClickOnce Technology for Initial Access and Persistence

hello@craftedsignal.io — Sun, 21 Jun 2026 05:32:16 +0000

Recent observations highlight a novel abuse of Microsoft's ClickOnce technology by threat actors, focusing on its features for initial access, execution, and persistence. This technique, reported by CrowdStrike in June 2026, exploits the inherent trust and minimal user interaction required for ClickOnce application deployment. Attackers leverage this to distribute malicious payloads, bypassing common security mechanisms like email filters that scrutinize .exe files but may overlook .application files. The method allows for the deployment of malware without requiring administrative privileges, broadening the scope of potential victims to standard user accounts. Furthermore, ClickOnce's built-in update mechanism is co-opted to maintain remote access, update C2 infrastructure, or facilitate lateral movement, all while masquerading within legitimate Microsoft processes such as rundll32.exe and dfsvc.exe, significantly enhancing stealth and defense evasion capabilities.

Attack Chain

Initial Access via User Interaction: Threat actors convince targets to click on a malicious link or open an .application file, often via misleading buttons or phishing campaigns, initiating a ClickOnce application deployment.
Deployment of Malicious ClickOnce Application: The user interaction triggers the download and execution of a weaponized ClickOnce application, which contains or ultimately delivers the malicious payload.
Execution within Legitimate Processes: The malicious payload is executed within the context of legitimate Microsoft processes, primarily dfsvc.exe (Deployment Services Client) or rundll32.exe, to evade detection.
Persistence via .appref-ms file: A shortcut file with the .appref-ms extension is dropped in the user's Start Menu directory (%Users%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\) by the ClickOnce framework, ensuring the malicious application can be re-launched.
Utilizing Built-in Update Mechanism: Once persisted, the attacker can push malicious updates to the application's deployment server. When the user next launches the application via the .appref-ms shortcut, the update mechanism fetches and executes the updated malicious payload without further user prompting.
Remote Access and C2 Maintenance: The updated malicious application can establish persistent remote access, update its command and control (C2) infrastructure, or perform other post-exploitation activities like data exfiltration.
Lateral Movement (Potential): Through the maintained remote access and updated C2, attackers can initiate lateral movement within the compromised network.

Impact

Successful exploitation of ClickOnce technology allows attackers to gain persistent access to targeted systems, bypassing traditional security controls and executing payloads under the guise of legitimate Microsoft processes. This enables capabilities such as remote code execution, data exfiltration, and the establishment of long-term command and control. The lack of administrative privilege requirements means a wider range of user accounts are vulnerable. The ease of payload delivery, coupled with the ability to silently update malware, poses a significant risk for continued compromise and facilitates further malicious activities including ransomware deployment or corporate espionage across targeted organizations in various sectors.

Recommendation

Deploy the Sigma rules in this brief to your SIEM and tune for your environment to detect suspicious ClickOnce activity.
Enable Sysmon process-creation and file-event logging to activate the rules above.
Monitor for process creations where dfsvc.exe is the parent and the child process is not a known, legitimate application.
Educate users on the risks associated with clicking on links or opening .application files from untrusted sources, even if they appear to initiate a software installation.
Implement application whitelisting solutions to prevent the execution of unauthorized ClickOnce applications or executables launched by them.

Abuse of Microsoft ClickOnce Technology for Malware Deployment

hello@craftedsignal.io — Sat, 20 Jun 2026 15:38:30 +0000

Microsoft's ClickOnce technology, intended to streamline application distribution and updates, is being increasingly abused by threat actors to deploy malicious software. ClickOnce facilitates the deployment of applications with minimal user interaction and often without requiring administrative privileges, making it an ideal vector for malware. This allows adversaries to package and distribute their payloads in a user-friendly format, potentially bypassing traditional security controls. While Part 1 of this research focuses on the internal workings of ClickOnce, it highlights features such as self-contained packaging and self-updating functionality which, if weaponized, could enable persistent and evasive malware campaigns. This abuse poses a significant risk to organizations, as it simplifies the initial access and execution phases for attackers by leveraging a legitimate Microsoft deployment mechanism.

Attack Chain

Threat actor packages a malicious application using Microsoft's ClickOnce publishing tools in Visual Studio.
The actor hosts the generated ClickOnce deployment files (e.g., .application manifest, executable, .deploy files) on a remote web server or network share.
The attacker creates a malicious link, often embedded in a phishing email or hosted on a compromised website, to trigger the download and deployment of the ClickOnce application.
A user clicks the malicious link, which initiates the download of the .application deployment manifest.
The Windows operating system's ClickOnce deployment service (dfsvc.exe) processes the manifest and, if the publisher's signature is not verified, prompts the user for confirmation.
Upon user confirmation, dfsvc.exe downloads and executes the packaged malicious application.
The malicious application runs with the user's privileges, potentially performing actions such as data exfiltration or installing additional malware.
If configured for installation, the malicious ClickOnce application might establish persistence (e.g., via startup entries) and use ClickOnce's self-updating feature for dynamic command and control.

Impact

The abuse of ClickOnce technology allows attackers to easily distribute malware, potentially leading to widespread infections. Because ClickOnce applications often run without requiring administrative privileges, they can bypass security measures that rely on privilege escalation detection. Successful exploitation can result in unauthorized access, data theft, further system compromise, and the deployment of ransomware or other destructive payloads. The self-updating nature of ClickOnce applications means that initially deployed malware can evolve, receive new capabilities, or evade detection over time, making long-term compromise more likely.

Recommendation

Deploy the Sigma rule "Detect ClickOnce Deployment Service Launching Applications" to monitor dfsvc.exe activity for suspicious application launches.
Implement the Sigma rule "Detect Download of Suspicious ClickOnce Deployment Files" to identify .application or .manifest files downloaded from unusual sources.
Use the Sigma rule "Detect ClickOnce Application Execution from Suspicious Paths" to flag executions of ClickOnce apps from temporary or user-controlled directories.
Educate users on the risks associated with installing unsigned or untrusted applications via ClickOnce prompts.
Enable comprehensive process creation logging for dfsvc.exe to capture command-line arguments and parent-child process relationships.

ClickOnce - CraftedSignal Threat Feed

New Abuse of ClickOnce Technology for Initial Access and Persistence

Attack Chain

Impact

Recommendation

Abuse of Microsoft ClickOnce Technology for Malware Deployment

Attack Chain

Impact

Recommendation