<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Dfsvc.exe - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/dfsvc.exe/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 08 Jul 2026 08:07:01 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/dfsvc.exe/feed.xml" rel="self" type="application/rss+xml"/><item><title>New Abuse of the ClickOnce Technology, Part 2: Stop Threat Actors from Clicking Once and Staying Forever</title><link>https://feed.craftedsignal.io/briefs/2026-07-clickonce-abuse-part2/</link><pubDate>Wed, 08 Jul 2026 08:07:01 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-clickonce-abuse-part2/</guid><description>Threat actors are actively exploiting Microsoft's ClickOnce deployment technology, leveraging its low user interaction, lack of privilege requirements, and built-in update mechanisms to deliver malware, establish persistence, and maintain remote access, often executing payloads within legitimate rundll32.exe and dfsvc.exe processes.</description><content:encoded><![CDATA[<p>CrowdStrike has identified new methods of abusing Microsoft's ClickOnce deployment technology, which threat actors are actively leveraging to deliver malware, achieve persistence, and maintain remote access. This abuse exploits ClickOnce's minimal user interaction, ability to deploy without administrative privileges, and built-in updating mechanism. Actors are observed weaponizing <code>.application</code> files and manipulating <code>.appref-ms</code> shortcuts to stealthily execute payloads within legitimate Microsoft processes such as <code>rundll32.exe</code> and <code>dfsvc.exe</code>. The simplified delivery phase bypasses traditional defenses like email filters, and the lack of user awareness regarding ClickOnce installations contributes to the success of these attacks. This ongoing threat highlights a significant vector for initial access and long-term compromise against Windows endpoints.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Initial Access:</strong> Threat actor persuades a user to click a malicious link or button on a webpage, or directly delivers a weaponized <code>.application</code> file via a non-email vector.</li>
<li><strong>Execution (ClickOnce Deployment):</strong> The malicious ClickOnce application is downloaded and executed, initiating the deployment process on the victim's machine.</li>
<li><strong>Execution (Payload Launch):</strong> The malicious payload embedded within the ClickOnce application is launched, often executing discreetly within the context of legitimate Microsoft processes such as <code>rundll32.exe</code> or <code>dfsvc.exe</code>.</li>
<li><strong>Persistence (Shortcut Creation):</strong> An <code>.appref-ms</code> file, configured to launch the malicious ClickOnce application, is created and placed in the user's Start Menu or other auto-run locations (e.g., Startup folder).</li>
<li><strong>Persistence (Update Mechanism Abuse):</strong> The threat actor updates the malicious ClickOnce application on their controlled deployment server with new or modified malicious components, including altered command and control (C2) addresses.</li>
<li><strong>Persistence (Re-execution):</strong> When the user subsequently launches the ClickOnce application from the Start Menu shortcut, the built-in update mechanism automatically downloads and executes the updated malicious payload without further user authorization.</li>
<li><strong>Command and Control:</strong> The executed payload establishes command and control (C2) communications with the attacker's infrastructure, enabling remote access, further lateral movement, or data exfiltration.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The successful exploitation of ClickOnce technology allows threat actors to bypass common security controls and establish persistent access to compromised systems without requiring administrative privileges. This can lead to the installation of various malware, including remote access tools, information stealers, or ransomware. Organizations face risks of data exfiltration, system takeover, and significant financial or reputational damage, as adversaries can continuously update their malicious applications and maintain a covert presence.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Enable Sysmon <code>FileCreate</code> and <code>ProcessCreate</code> event logging on Windows endpoints to capture activity related to ClickOnce deployment and execution.</li>
<li>Deploy the Sigma rule &quot;Detect ClickOnce .appref-ms Persistence&quot; to identify suspicious creation or modification of <code>.appref-ms</code> files in auto-run directories.</li>
<li>Deploy the Sigma rule &quot;Detect Suspicious Outbound Network Connection from ClickOnce Service&quot; to flag unusual network activity originating from the <code>dfsvc.exe</code> process.</li>
<li>Educate users on the risks associated with clicking suspicious links and executing <code>.application</code> files from untrusted sources, emphasizing that these can trigger software installation.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>clickonce</category><category>microsoft</category><category>persistence</category><category>delivery</category><category>windows</category><category>endpoint</category></item></channel></rss>