{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/rundll32.exe/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":true,"_cs_poc_references":[],"_cs_products":["ClickOnce","ClickOnce technology","Microsoft ClickOnce",".application files",".appref-ms files","ClickOnce applications",".NET Framework","rundll32.exe","dfsvc.exe"],"_cs_severities":["high"],"_cs_tags":["clickonce","microsoft","persistence","delivery","windows","endpoint"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eCrowdStrike has identified new methods of abusing Microsoft's ClickOnce deployment technology, which threat actors are actively leveraging to deliver malware, achieve persistence, and maintain remote access. This abuse exploits ClickOnce's minimal user interaction, ability to deploy without administrative privileges, and built-in updating mechanism. Actors are observed weaponizing \u003ccode\u003e.application\u003c/code\u003e files and manipulating \u003ccode\u003e.appref-ms\u003c/code\u003e shortcuts to stealthily execute payloads within legitimate Microsoft processes such as \u003ccode\u003erundll32.exe\u003c/code\u003e and \u003ccode\u003edfsvc.exe\u003c/code\u003e. The simplified delivery phase bypasses traditional defenses like email filters, and the lack of user awareness regarding ClickOnce installations contributes to the success of these attacks. This ongoing threat highlights a significant vector for initial access and long-term compromise against Windows endpoints.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e Threat actor persuades a user to click a malicious link or button on a webpage, or directly delivers a weaponized \u003ccode\u003e.application\u003c/code\u003e file via a non-email vector.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExecution (ClickOnce Deployment):\u003c/strong\u003e The malicious ClickOnce application is downloaded and executed, initiating the deployment process on the victim's machine.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExecution (Payload Launch):\u003c/strong\u003e The malicious payload embedded within the ClickOnce application is launched, often executing discreetly within the context of legitimate Microsoft processes such as \u003ccode\u003erundll32.exe\u003c/code\u003e or \u003ccode\u003edfsvc.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence (Shortcut Creation):\u003c/strong\u003e An \u003ccode\u003e.appref-ms\u003c/code\u003e file, configured to launch the malicious ClickOnce application, is created and placed in the user's Start Menu or other auto-run locations (e.g., Startup folder).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence (Update Mechanism Abuse):\u003c/strong\u003e The threat actor updates the malicious ClickOnce application on their controlled deployment server with new or modified malicious components, including altered command and control (C2) addresses.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence (Re-execution):\u003c/strong\u003e When the user subsequently launches the ClickOnce application from the Start Menu shortcut, the built-in update mechanism automatically downloads and executes the updated malicious payload without further user authorization.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCommand and Control:\u003c/strong\u003e The executed payload establishes command and control (C2) communications with the attacker's infrastructure, enabling remote access, further lateral movement, or data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of ClickOnce technology allows threat actors to bypass common security controls and establish persistent access to compromised systems without requiring administrative privileges. This can lead to the installation of various malware, including remote access tools, information stealers, or ransomware. Organizations face risks of data exfiltration, system takeover, and significant financial or reputational damage, as adversaries can continuously update their malicious applications and maintain a covert presence.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon \u003ccode\u003eFileCreate\u003c/code\u003e and \u003ccode\u003eProcessCreate\u003c/code\u003e event logging on Windows endpoints to capture activity related to ClickOnce deployment and execution.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detect ClickOnce .appref-ms Persistence\u0026quot; to identify suspicious creation or modification of \u003ccode\u003e.appref-ms\u003c/code\u003e files in auto-run directories.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detect Suspicious Outbound Network Connection from ClickOnce Service\u0026quot; to flag unusual network activity originating from the \u003ccode\u003edfsvc.exe\u003c/code\u003e process.\u003c/li\u003e\n\u003cli\u003eEducate users on the risks associated with clicking suspicious links and executing \u003ccode\u003e.application\u003c/code\u003e files from untrusted sources, emphasizing that these can trigger software installation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-11T08:12:28Z","date_published":"2026-07-08T08:07:01Z","id":"https://feed.craftedsignal.io/briefs/2026-07-clickonce-abuse-part2/","summary":"Threat actors are actively exploiting Microsoft's ClickOnce deployment technology, leveraging its low user interaction, lack of privilege requirements, and built-in update mechanisms to deliver malware, establish persistence, and maintain remote access, often executing payloads within legitimate rundll32.exe and dfsvc.exe processes.","title":"New Abuse of the ClickOnce Technology, Part 2: Stop Threat Actors from Clicking Once and Staying Forever","url":"https://feed.craftedsignal.io/briefs/2026-07-clickonce-abuse-part2/"}],"language":"en","title":"CraftedSignal Threat Feed - Rundll32.exe","version":"https://jsonfeed.org/version/1.1"}