<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Windows-Exploitation - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/windows-exploitation/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 07 Jul 2026 19:31:46 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/windows-exploitation/feed.xml" rel="self" type="application/rss+xml"/><item><title>New Abuse of the ClickOnce Technology, Part 2: Stop Threat Actors from Clicking Once and Staying Forever</title><link>https://feed.craftedsignal.io/briefs/2026-07-clickonce-abuse/</link><pubDate>Tue, 07 Jul 2026 19:31:46 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-clickonce-abuse/</guid><description>Threat actors are actively exploiting Microsoft's ClickOnce technology to facilitate malware delivery, achieve persistence, and evade traditional defenses by leveraging its user-friendly deployment, general lack of awareness, and ability to install applications without elevated privileges, often pushing malicious updates via .appref-ms files that execute within legitimate Microsoft process trees such as rundll32.exe and dfsvc.exe.</description><content:encoded><![CDATA[<p>CrowdStrike has observed new abuse of Microsoft's ClickOnce technology by threat actors for malware delivery, persistence, and defense evasion, as detailed in their July 2026 report, &quot;New Abuse of the ClickOnce Technology, Part 2.&quot; This method bypasses common protection mechanisms by leveraging ClickOnce's low-friction installation, often requiring only one or two clicks from the target. Adversaries capitalize on the general lack of awareness regarding <code>.application</code> files and ClickOnce behavior, allowing them to install malicious payloads without requiring elevated privileges. A key abuse involves compromising legitimate ClickOnce application servers to push malicious updates via <code>.appref-ms</code> files, ensuring that even initially benign applications can become malicious, executing within trusted <code>rundll32.exe</code> and <code>dfsvc.exe</code> processes. This technique provides attackers with a stealthy and persistent method for maintaining remote access and updating their malware.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker crafts a malicious ClickOnce application or compromises a legitimate ClickOnce deployment server.</li>
<li>Attacker entices a user to click a misleading link or button on a webpage, leading to the execution of a <code>.application</code> file.</li>
<li>The ClickOnce application initiates its deployment and installation on the user's Windows system.</li>
<li>A <code>.appref-ms</code> shortcut file is dropped into the user's Start Menu (e.g., <code>%APPDATA%\Microsoft\Windows\Start Menu\Programs\</code>) for offline access or persistence.</li>
<li>The attacker pushes a malicious update to the controlled or compromised ClickOnce deployment server.</li>
<li>The user launches the ClickOnce application, either from the Start Menu shortcut, by placing the <code>.appref-ms</code> file in the Startup folder, or via a scheduled task.</li>
<li>The ClickOnce components detect an available update, fetch the malicious payload from the deployment server, and execute it.</li>
<li>The malicious payload executes under legitimate Microsoft processes like <code>rundll32.exe</code> or <code>dfsvc.exe</code>, establishing persistence, command and control, or further compromise.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The abuse of ClickOnce technology significantly lowers the barrier to entry for attackers, as it enables the deployment of malware without requiring elevated privileges and often bypasses traditional security controls like mailbox filtering systems. If successful, attackers can achieve persistent access to target systems, execute arbitrary code within legitimate Microsoft processes, and maintain remote access with an easily updatable malicious payload. This stealthy execution can lead to data exfiltration, further network compromise, or the deployment of ransomware, impacting targeted organizations across various sectors. The lack of user awareness about ClickOnce installation mechanisms makes this an effective social engineering vector.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the provided Sigma rules to your SIEM to detect suspicious persistence mechanisms leveraging <code>.appref-ms</code> files.</li>
<li>Enable Sysmon <code>ProcessCreate</code> and <code>FileCreate</code> event logging to activate the Sigma rules and gain visibility into process execution and file system changes related to ClickOnce.</li>
<li>Educate users on the risks associated with clicking links or opening <code>.application</code> files from untrusted sources, emphasizing that software installations should typically require explicit administrative consent.</li>
<li>Monitor for unsanctioned ClickOnce applications being installed or updated within your environment, focusing on their origins and behaviors.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>clickonce</category><category>malware-delivery</category><category>persistence</category><category>windows-exploitation</category><category>defense-evasion</category></item></channel></rss>