<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Threat-Vector - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/threat-vector/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 07 Jul 2026 19:26:09 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/threat-vector/feed.xml" rel="self" type="application/rss+xml"/><item><title>New Abuse of ClickOnce Technology, Part 1: Internals and Attack Vector</title><link>https://feed.craftedsignal.io/briefs/2026-07-clickonce-abuse-part1/</link><pubDate>Tue, 07 Jul 2026 19:26:09 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-clickonce-abuse-part1/</guid><description>Threat actors are abusing Microsoft's ClickOnce technology, a legitimate application deployment mechanism, to spread malware by leveraging its user-friendly installation process that bypasses traditional security controls and administrative privileges, facilitating initial access and execution on Windows endpoints.</description><content:encoded><![CDATA[<p>CrowdStrike has published &quot;Part 1&quot; of a two-part series detailing a new abuse of Microsoft's ClickOnce technology, a deployment mechanism designed for distributing applications and updates without requiring administrative privileges. This initial part, published on 2026-07-07, provides an in-depth look into the internal workings of ClickOnce, a capability often overlooked by both developers and security professionals. The technology's design, which allows for minimal user interaction and no elevated privileges for application deployment, presents a significant vector for threat actors to spread malware easily. By packaging malicious applications as ClickOnce deployments (typically <code>.application</code> files), attackers can bypass traditional security controls and user installation hurdles, facilitating initial access and execution on targeted Windows endpoints. This brief sets the foundation for understanding how this user-friendly feature can be weaponized, preparing defenders for the specific abuse methods and detection strategies to be detailed in Part 2.</p>
<h2 id="impact">Impact</h2>
<p>The abuse of ClickOnce technology allows threat actors to easily distribute malware, leading to unauthorized initial access and execution on user systems. Its ability to deploy applications without requiring administrative privileges means that even users with standard permissions can inadvertently install malicious software. This bypasses traditional security measures that rely on user privilege escalation or complex installation procedures, making it a highly effective delivery mechanism. While this part of the series does not detail specific campaigns or victim counts, it highlights a fundamental architectural flaw that can be leveraged across various sectors to compromise Windows endpoints, leading to data exfiltration, further compromise, or ransomware deployment.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Familiarize detection engineering teams with the internal workings of Microsoft ClickOnce technology, specifically the execution flow initiated by <code>.application</code> files, as detailed in this brief, to better understand potential abuse vectors.</li>
<li>Prepare to deploy specific detection rules and blocking mechanisms for malicious ClickOnce applications upon the release of Part 2 of the CrowdStrike research series, which is referenced in this brief and expected to provide concrete weaponization methods and strategies.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>clickonce</category><category>malware-delivery</category><category>windows</category><category>microsoft</category><category>deployment-technology</category><category>threat-vector</category></item></channel></rss>