{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/windows-exploitation/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["ClickOnce"],"_cs_severities":["high"],"_cs_tags":["clickonce","malware-delivery","persistence","windows-exploitation","defense-evasion"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eCrowdStrike has observed new abuse of Microsoft's ClickOnce technology by threat actors for malware delivery, persistence, and defense evasion, as detailed in their July 2026 report, \u0026quot;New Abuse of the ClickOnce Technology, Part 2.\u0026quot; This method bypasses common protection mechanisms by leveraging ClickOnce's low-friction installation, often requiring only one or two clicks from the target. Adversaries capitalize on the general lack of awareness regarding \u003ccode\u003e.application\u003c/code\u003e files and ClickOnce behavior, allowing them to install malicious payloads without requiring elevated privileges. A key abuse involves compromising legitimate ClickOnce application servers to push malicious updates via \u003ccode\u003e.appref-ms\u003c/code\u003e files, ensuring that even initially benign applications can become malicious, executing within trusted \u003ccode\u003erundll32.exe\u003c/code\u003e and \u003ccode\u003edfsvc.exe\u003c/code\u003e processes. This technique provides attackers with a stealthy and persistent method for maintaining remote access and updating their malware.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malicious ClickOnce application or compromises a legitimate ClickOnce deployment server.\u003c/li\u003e\n\u003cli\u003eAttacker entices a user to click a misleading link or button on a webpage, leading to the execution of a \u003ccode\u003e.application\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eThe ClickOnce application initiates its deployment and installation on the user's Windows system.\u003c/li\u003e\n\u003cli\u003eA \u003ccode\u003e.appref-ms\u003c/code\u003e shortcut file is dropped into the user's Start Menu (e.g., \u003ccode\u003e%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\\u003c/code\u003e) for offline access or persistence.\u003c/li\u003e\n\u003cli\u003eThe attacker pushes a malicious update to the controlled or compromised ClickOnce deployment server.\u003c/li\u003e\n\u003cli\u003eThe user launches the ClickOnce application, either from the Start Menu shortcut, by placing the \u003ccode\u003e.appref-ms\u003c/code\u003e file in the Startup folder, or via a scheduled task.\u003c/li\u003e\n\u003cli\u003eThe ClickOnce components detect an available update, fetch the malicious payload from the deployment server, and execute it.\u003c/li\u003e\n\u003cli\u003eThe malicious payload executes under legitimate Microsoft processes like \u003ccode\u003erundll32.exe\u003c/code\u003e or \u003ccode\u003edfsvc.exe\u003c/code\u003e, establishing persistence, command and control, or further compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe abuse of ClickOnce technology significantly lowers the barrier to entry for attackers, as it enables the deployment of malware without requiring elevated privileges and often bypasses traditional security controls like mailbox filtering systems. If successful, attackers can achieve persistent access to target systems, execute arbitrary code within legitimate Microsoft processes, and maintain remote access with an easily updatable malicious payload. This stealthy execution can lead to data exfiltration, further network compromise, or the deployment of ransomware, impacting targeted organizations across various sectors. The lack of user awareness about ClickOnce installation mechanisms makes this an effective social engineering vector.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rules to your SIEM to detect suspicious persistence mechanisms leveraging \u003ccode\u003e.appref-ms\u003c/code\u003e files.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon \u003ccode\u003eProcessCreate\u003c/code\u003e and \u003ccode\u003eFileCreate\u003c/code\u003e event logging to activate the Sigma rules and gain visibility into process execution and file system changes related to ClickOnce.\u003c/li\u003e\n\u003cli\u003eEducate users on the risks associated with clicking links or opening \u003ccode\u003e.application\u003c/code\u003e files from untrusted sources, emphasizing that software installations should typically require explicit administrative consent.\u003c/li\u003e\n\u003cli\u003eMonitor for unsanctioned ClickOnce applications being installed or updated within your environment, focusing on their origins and behaviors.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-07T19:31:46Z","date_published":"2026-07-07T19:31:46Z","id":"https://feed.craftedsignal.io/briefs/2026-07-clickonce-abuse/","summary":"Threat actors are actively exploiting Microsoft's ClickOnce technology to facilitate malware delivery, achieve persistence, and evade traditional defenses by leveraging its user-friendly deployment, general lack of awareness, and ability to install applications without elevated privileges, often pushing malicious updates via .appref-ms files that execute within legitimate Microsoft process trees such as rundll32.exe and dfsvc.exe.","title":"New Abuse of the ClickOnce Technology, Part 2: Stop Threat Actors from Clicking Once and Staying Forever","url":"https://feed.craftedsignal.io/briefs/2026-07-clickonce-abuse/"}],"language":"en","title":"CraftedSignal Threat Feed - Windows-Exploitation","version":"https://jsonfeed.org/version/1.1"}