{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/clickonce/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["ClickOnce"],"_cs_severities":["high"],"_cs_tags":["clickonce","windows","initial-access","persistence","defense-evasion","execution"],"_cs_type":"threat","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eRecent observations highlight a novel abuse of Microsoft's ClickOnce technology by threat actors, focusing on its features for initial access, execution, and persistence. This technique, reported by CrowdStrike in June 2026, exploits the inherent trust and minimal user interaction required for ClickOnce application deployment. Attackers leverage this to distribute malicious payloads, bypassing common security mechanisms like email filters that scrutinize \u003ccode\u003e.exe\u003c/code\u003e files but may overlook \u003ccode\u003e.application\u003c/code\u003e files. The method allows for the deployment of malware without requiring administrative privileges, broadening the scope of potential victims to standard user accounts. Furthermore, ClickOnce's built-in update mechanism is co-opted to maintain remote access, update C2 infrastructure, or facilitate lateral movement, all while masquerading within legitimate Microsoft processes such as \u003ccode\u003erundll32.exe\u003c/code\u003e and \u003ccode\u003edfsvc.exe\u003c/code\u003e, significantly enhancing stealth and defense evasion capabilities.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access via User Interaction\u003c/strong\u003e: Threat actors convince targets to click on a malicious link or open an \u003ccode\u003e.application\u003c/code\u003e file, often via misleading buttons or phishing campaigns, initiating a ClickOnce application deployment.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDeployment of Malicious ClickOnce Application\u003c/strong\u003e: The user interaction triggers the download and execution of a weaponized ClickOnce application, which contains or ultimately delivers the malicious payload.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExecution within Legitimate Processes\u003c/strong\u003e: The malicious payload is executed within the context of legitimate Microsoft processes, primarily \u003ccode\u003edfsvc.exe\u003c/code\u003e (Deployment Services Client) or \u003ccode\u003erundll32.exe\u003c/code\u003e, to evade detection.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence via \u003ccode\u003e.appref-ms\u003c/code\u003e file\u003c/strong\u003e: A shortcut file with the \u003ccode\u003e.appref-ms\u003c/code\u003e extension is dropped in the user's Start Menu directory (\u003ccode\u003e%Users%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\\u003c/code\u003e) by the ClickOnce framework, ensuring the malicious application can be re-launched.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eUtilizing Built-in Update Mechanism\u003c/strong\u003e: Once persisted, the attacker can push malicious updates to the application's deployment server. When the user next launches the application via the \u003ccode\u003e.appref-ms\u003c/code\u003e shortcut, the update mechanism fetches and executes the updated malicious payload without further user prompting.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRemote Access and C2 Maintenance\u003c/strong\u003e: The updated malicious application can establish persistent remote access, update its command and control (C2) infrastructure, or perform other post-exploitation activities like data exfiltration.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement (Potential)\u003c/strong\u003e: Through the maintained remote access and updated C2, attackers can initiate lateral movement within the compromised network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of ClickOnce technology allows attackers to gain persistent access to targeted systems, bypassing traditional security controls and executing payloads under the guise of legitimate Microsoft processes. This enables capabilities such as remote code execution, data exfiltration, and the establishment of long-term command and control. The lack of administrative privilege requirements means a wider range of user accounts are vulnerable. The ease of payload delivery, coupled with the ability to silently update malware, poses a significant risk for continued compromise and facilitates further malicious activities including ransomware deployment or corporate espionage across targeted organizations in various sectors.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM and tune for your environment to detect suspicious ClickOnce activity.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process-creation and file-event logging to activate the rules above.\u003c/li\u003e\n\u003cli\u003eMonitor for process creations where \u003ccode\u003edfsvc.exe\u003c/code\u003e is the parent and the child process is not a known, legitimate application.\u003c/li\u003e\n\u003cli\u003eEducate users on the risks associated with clicking on links or opening \u003ccode\u003e.application\u003c/code\u003e files from untrusted sources, even if they appear to initiate a software installation.\u003c/li\u003e\n\u003cli\u003eImplement application whitelisting solutions to prevent the execution of unauthorized ClickOnce applications or executables launched by them.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-06-21T05:32:16Z","date_published":"2026-06-21T05:32:16Z","id":"https://feed.craftedsignal.io/briefs/2026-06-clickonce-abuse/","summary":"Threat actors are weaponizing Microsoft's ClickOnce technology to achieve initial access, execution, and persistence on target systems, leveraging its user-friendly deployment and update mechanisms to bypass traditional security defenses and maintain remote access without requiring administrative privileges, executing payloads within legitimate Microsoft process trees.","title":"New Abuse of ClickOnce Technology for Initial Access and Persistence","url":"https://feed.craftedsignal.io/briefs/2026-06-clickonce-abuse/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Microsoft ClickOnce"],"_cs_severities":["high"],"_cs_tags":["clickonce","persistence","defense-evasion","windows","malware","social-engineering"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThreat actors are increasingly abusing Microsoft's ClickOnce deployment technology, particularly focusing on its update mechanism, to establish persistent malware presence and evade detection. This technique, highlighted by CrowdStrike in June 2026, leverages the user-friendly installation and built-in updating features of ClickOnce to bypass traditional defenses. Attackers lure users into installing seemingly harmless ClickOnce applications, which drop \u003ccode\u003e.appref-ms\u003c/code\u003e shortcut files in the Start Menu. Subsequently, the threat actors can push malicious updates to these applications from their controlled deployment servers. This allows for silent malware updates, C2 address changes, and lateral movement capabilities, all while operating within legitimate Microsoft processes like \u003ccode\u003edfsvc.exe\u003c/code\u003e and \u003ccode\u003erundll32.exe\u003c/code\u003e. This abuse takes advantage of a general lack of awareness around ClickOnce security, providing a stealthy and persistent vector on enterprise endpoints.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access via Social Engineering:\u003c/strong\u003e The attacker convinces a target user, often through phishing emails or malicious websites, to click a link or button that initiates a ClickOnce application download.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMalicious ClickOnce Application Deployment:\u003c/strong\u003e The user's interaction triggers the download and execution of a malicious \u003ccode\u003e.application\u003c/code\u003e file, initiating the ClickOnce deployment process.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExecution via Legitimate Processes:\u003c/strong\u003e The malicious payload executes within legitimate Microsoft process trees, specifically utilizing \u003ccode\u003edfsvc.exe\u003c/code\u003e (ClickOnce Deployment Support Service) and \u003ccode\u003erundll32.exe\u003c/code\u003e to launch the initial malicious components.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence through \u003ccode\u003e.appref-ms\u003c/code\u003e File:\u003c/strong\u003e If the application is configured for offline availability, a shortcut file (\u003ccode\u003e.appref-ms\u003c/code\u003e) is dropped into the user's Start Menu (\u003ccode\u003e%Users\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMalicious Update Delivery:\u003c/strong\u003e When the user subsequently launches the application via the \u003ccode\u003e.appref-ms\u003c/code\u003e shortcut, the ClickOnce client checks for updates from the attacker-controlled server.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSilent Payload Update and Re-execution:\u003c/strong\u003e The attacker pushes a malicious update to the deployment server, which is then downloaded and executed by the \u003ccode\u003edfsvc.exe\u003c/code\u003e process without requiring user re-authorization or prompting.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact (Remote Access/Lateral Movement):\u003c/strong\u003e The updated malicious payload can then establish remote access, modify C2 addresses, facilitate lateral movement, or perform other malicious actions on the compromised system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of ClickOnce's update mechanism allows threat actors to maintain persistent access to targeted systems with high stealth. Because the initial application deployment does not require administrative privileges, standard user accounts, which comprise the majority of enterprise endpoints, are vulnerable. Once established, attackers can silently update their malware, enabling them to alter C2 infrastructure, facilitate lateral movement within a network, and exfiltrate sensitive data. This technique bypasses common email gateway protections and traditional file-based scrutiny, leading to extended dwell times and increased potential for significant data breaches or system compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003eImplement a robust Endpoint Detection and Response (EDR) solution:\u003c/strong\u003e Deploy EDR capabilities to detect suspicious process creation and network connections from \u003ccode\u003edfsvc.exe\u003c/code\u003e and \u003ccode\u003erundll32.exe\u003c/code\u003e as detailed in the Sigma rules below.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDeploy the Sigma rules in this brief to your SIEM/EDR:\u003c/strong\u003e Tune the provided rules to detect \u003ccode\u003edfsvc.exe\u003c/code\u003e spawning unusual child processes or making suspicious network connections, and \u003ccode\u003erundll32.exe\u003c/code\u003e executing with abnormal parameters.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMonitor \u003ccode\u003eprocess_creation\u003c/code\u003e events:\u003c/strong\u003e Specifically watch for instances where \u003ccode\u003edfsvc.exe\u003c/code\u003e or \u003ccode\u003erundll32.exe\u003c/code\u003e act as parent processes for scripting interpreters (e.g., powershell.exe, cmd.exe) or other unusual executables.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMonitor \u003ccode\u003enetwork_connection\u003c/code\u003e events:\u003c/strong\u003e Focus on outbound connections initiated by \u003ccode\u003edfsvc.exe\u003c/code\u003e to non-standard ports or suspicious external IP addresses/domains.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eEducate users on ClickOnce risks:\u003c/strong\u003e Increase awareness about the nature of \u003ccode\u003e.application\u003c/code\u003e files and the potential risks of installing software from untrusted sources, even if the installation appears to be legitimate.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-06-21T05:21:58Z","date_published":"2026-06-21T05:21:58Z","id":"https://feed.craftedsignal.io/briefs/2026-06-clickonce-abuse-part2/","summary":"Threat actors are exploiting the legitimate update mechanism of Microsoft ClickOnce applications, particularly through `.appref-ms` files, to maintain persistence, bypass security controls, and deliver updated malicious payloads without requiring elevated privileges or user re-authorization on Windows systems.","title":"Threat Actors Abuse Microsoft ClickOnce Update Mechanism for Persistent Malware Delivery","url":"https://feed.craftedsignal.io/briefs/2026-06-clickonce-abuse-part2/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["ClickOnce"],"_cs_severities":["medium"],"_cs_tags":["clickonce","deployment","windows","malware-distribution","application-deployment"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eMicrosoft's ClickOnce technology, intended to streamline application distribution and updates, is being increasingly abused by threat actors to deploy malicious software. ClickOnce facilitates the deployment of applications with minimal user interaction and often without requiring administrative privileges, making it an ideal vector for malware. This allows adversaries to package and distribute their payloads in a user-friendly format, potentially bypassing traditional security controls. While Part 1 of this research focuses on the internal workings of ClickOnce, it highlights features such as self-contained packaging and self-updating functionality which, if weaponized, could enable persistent and evasive malware campaigns. This abuse poses a significant risk to organizations, as it simplifies the initial access and execution phases for attackers by leveraging a legitimate Microsoft deployment mechanism.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThreat actor packages a malicious application using Microsoft's ClickOnce publishing tools in Visual Studio.\u003c/li\u003e\n\u003cli\u003eThe actor hosts the generated ClickOnce deployment files (e.g., \u003ccode\u003e.application\u003c/code\u003e manifest, executable, \u003ccode\u003e.deploy\u003c/code\u003e files) on a remote web server or network share.\u003c/li\u003e\n\u003cli\u003eThe attacker creates a malicious link, often embedded in a phishing email or hosted on a compromised website, to trigger the download and deployment of the ClickOnce application.\u003c/li\u003e\n\u003cli\u003eA user clicks the malicious link, which initiates the download of the \u003ccode\u003e.application\u003c/code\u003e deployment manifest.\u003c/li\u003e\n\u003cli\u003eThe Windows operating system's ClickOnce deployment service (\u003ccode\u003edfsvc.exe\u003c/code\u003e) processes the manifest and, if the publisher's signature is not verified, prompts the user for confirmation.\u003c/li\u003e\n\u003cli\u003eUpon user confirmation, \u003ccode\u003edfsvc.exe\u003c/code\u003e downloads and executes the packaged malicious application.\u003c/li\u003e\n\u003cli\u003eThe malicious application runs with the user's privileges, potentially performing actions such as data exfiltration or installing additional malware.\u003c/li\u003e\n\u003cli\u003eIf configured for installation, the malicious ClickOnce application might establish persistence (e.g., via startup entries) and use ClickOnce's self-updating feature for dynamic command and control.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe abuse of ClickOnce technology allows attackers to easily distribute malware, potentially leading to widespread infections. Because ClickOnce applications often run without requiring administrative privileges, they can bypass security measures that rely on privilege escalation detection. Successful exploitation can result in unauthorized access, data theft, further system compromise, and the deployment of ransomware or other destructive payloads. The self-updating nature of ClickOnce applications means that initially deployed malware can evolve, receive new capabilities, or evade detection over time, making long-term compromise more likely.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detect ClickOnce Deployment Service Launching Applications\u0026quot; to monitor \u003ccode\u003edfsvc.exe\u003c/code\u003e activity for suspicious application launches.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u0026quot;Detect Download of Suspicious ClickOnce Deployment Files\u0026quot; to identify \u003ccode\u003e.application\u003c/code\u003e or \u003ccode\u003e.manifest\u003c/code\u003e files downloaded from unusual sources.\u003c/li\u003e\n\u003cli\u003eUse the Sigma rule \u0026quot;Detect ClickOnce Application Execution from Suspicious Paths\u0026quot; to flag executions of ClickOnce apps from temporary or user-controlled directories.\u003c/li\u003e\n\u003cli\u003eEducate users on the risks associated with installing unsigned or untrusted applications via ClickOnce prompts.\u003c/li\u003e\n\u003cli\u003eEnable comprehensive process creation logging for \u003ccode\u003edfsvc.exe\u003c/code\u003e to capture command-line arguments and parent-child process relationships.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-06-20T15:38:30Z","date_published":"2026-06-20T15:38:30Z","id":"https://feed.craftedsignal.io/briefs/2026-06-clickonce-abuse-part1/","summary":"Threat actors are leveraging Microsoft's ClickOnce technology, designed for simplified application deployment, as an attractive vector to spread malware, allowing for easy distribution, minimal user interaction, and installation without elevated privileges on Windows systems.","title":"Abuse of Microsoft ClickOnce Technology for Malware Deployment","url":"https://feed.craftedsignal.io/briefs/2026-06-clickonce-abuse-part1/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["ClickOnce technology"],"_cs_severities":["medium"],"_cs_tags":["clickonce","windows","application-deployment","abuse-t1204.002"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eCrowdStrike has highlighted the potential for abuse of Microsoft's ClickOnce technology, a deployment mechanism designed to simplify application distribution and installation on Windows systems. While ClickOnce offers developers an easy way to package and deliver software, requiring minimal user interaction and no administrative privileges, these very features can be weaponized by threat actors. This initial analysis focuses on the underlying mechanics of ClickOnce deployment, setting the stage for understanding how malicious actors could leverage it to bypass traditional security measures. The user-friendly \u0026quot;click once\u0026quot; installation process means that unsuspecting victims could inadvertently deploy malware, making it a powerful vehicle for initial access and execution. This vulnerability is significant for defenders as it represents a novel or under-documented method for adversaries to achieve their objectives without relying on more commonly detected techniques.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003ePreparation\u003c/strong\u003e: Attacker crafts a malicious application and publishes it using ClickOnce technology, generating a deployment file (e.g., a \u003ccode\u003e.application\u003c/code\u003e file).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDelivery\u003c/strong\u003e: The attacker hosts the malicious ClickOnce deployment file on a controlled website or delivers it via a malicious link in a phishing email or message.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eUser Execution\u003c/strong\u003e: A victim is lured into clicking the malicious link or opening the deployment file, which triggers its download and initiates the ClickOnce deployment process.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSecurity Prompt\u003c/strong\u003e: The operating system displays a security warning or confirmation dialog to the user, particularly if the application publisher's signature is untrusted or unknown.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDeployment Service Invocation\u003c/strong\u003e: Upon user confirmation, the Windows Deployment Foundation Services (\u003ccode\u003edfsvc.exe\u003c/code\u003e) process is invoked to handle the download and installation/execution of the ClickOnce application.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eApplication Cache Write\u003c/strong\u003e: The malicious ClickOnce application's files are downloaded and written to the user's ClickOnce application cache, typically located in \u003ccode\u003e%LOCALAPPDATA%\\Apps\\2.0\\\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMalware Execution\u003c/strong\u003e: The malicious ClickOnce application is launched, executing its payload which could include installing additional malware, establishing persistence, or performing data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eIf successfully abused, the ClickOnce technology can lead to widespread malware infections, enabling attackers to establish a foothold on victim systems without requiring elevated privileges. Organizations could face data breaches, ransomware attacks, or system compromise as malicious applications bypass conventional security controls. The user-friendly nature of ClickOnce deployment lowers the barrier for successful social engineering, increasing the likelihood of successful attacks across various sectors. While specific victim counts are not available for this abuse method in this part of the research, the potential impact is broad, affecting any Windows environment where users might encounter and execute ClickOnce applications.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM and tune for your environment, specifically focusing on \u003ccode\u003eprocess_creation\u003c/code\u003e and \u003ccode\u003enetwork_connection\u003c/code\u003e logs related to ClickOnce.\u003c/li\u003e\n\u003cli\u003eEnable comprehensive \u003ccode\u003eprocess_creation\u003c/code\u003e logging to capture executions of \u003ccode\u003edfsvc.exe\u003c/code\u003e and any processes launched from the ClickOnce application cache (\u003ccode\u003e%LOCALAPPDATA%\\Apps\\2.0\\\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eMonitor \u003ccode\u003enetwork_connection\u003c/code\u003e logs for outbound connections initiated by \u003ccode\u003edfsvc.exe\u003c/code\u003e or other ClickOnce-related processes to suspicious or untrusted domains.\u003c/li\u003e\n\u003cli\u003eEducate users about the risks of executing applications from untrusted sources, even those presented through what appears to be a legitimate Windows installation wizard, as this relates to the Attack Chain step of \u0026quot;Security Prompt\u0026quot;.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-06-19T04:55:22Z","date_published":"2026-06-19T04:55:22Z","id":"https://feed.craftedsignal.io/briefs/2026-06-clickonce-abuse-potential/","summary":"Threat actors can abuse Microsoft's ClickOnce technology, which allows for simplified application distribution and installation with minimal user interaction and no administrative privileges, to easily spread malware and bypass traditional security controls through a 'click once' deployment.","title":"Potential Abuse of Microsoft ClickOnce Technology for Malware Delivery","url":"https://feed.craftedsignal.io/briefs/2026-06-clickonce-abuse-potential/"}],"language":"en","title":"CraftedSignal Threat Feed - Clickonce","version":"https://jsonfeed.org/version/1.1"}