Adversaries may use ClickOnce applications (.appref-ms and .application files) to proxy execution of code through a trusted Windows utility.(Citation: Burke/CISA ClickOnce BlackHat) ClickOnce is a deployment that enables a user to create self-updating Windows-based .NET applications (i.e, .XBAP, .EXE, or .DLL) that install and run from a file share or web page with minimal user interaction. The application launches as a child process of DFSVC.EXE, which is responsible for installing, launching, and updating the application.(Citation: SpectorOps Medium ClickOnce)
Because ClickOnce applications receive only limited permissions, they do not require administrative permissions to install.(Citation: Microsoft Learn ClickOnce) As such, adversaries may abuse ClickOnce to proxy execution of malicious code without needing to escalate privileges.
ClickOnce may be abused in a number of ways. For example, an adversary may rely on User Execution. When a user visits a malicious website, the .NET malware is disguised as legitimate software and a ClickOnce popup is displayed for installation.(Citation: NetSPI ClickOnce)
Adversaries may also abuse ClickOnce to execute malware via a Rundll32 script using the command rundll32.exe dfshim.dll,ShOpenVerbApplication1.(Citation: LOLBAS /Dfsvc.exe)
Additionally, an adversary can move the ClickOnce application file to a remote user’s startup folder for continued malicious code deployment (i.e., Registry Run Keys / Startup Folder).(Citation: Burke/CISA ClickOnce BlackHat)(Citation: Burke/CISA ClickOnce Paper)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| DE.CM-09.01 | Software and data integrity checking | Mitigates | T1127.002 | ClickOnce |
Comments
This diagnostic statement protects against ClickOnce through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures.
References
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1127.002 | ClickOnce |
Comments
This diagnostic statement provides protection from Trusted Developer Utilities Proxy Execution: ClickOnce through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations.
References
|
| PR.PS-05.02 | Mobile code prevention | Mitigates | T1127.002 | ClickOnce |
Comments
Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CM-06 | Configuration Settings | mitigates | T1127.002 | ClickOnce | |
| AC-17 | Remote Access | mitigates | T1127.002 | ClickOnce | |
| SC-18 | Mobile Code | mitigates | T1127.002 | ClickOnce | |
| RA-05 | Vulnerability Monitoring and Scanning | mitigates | T1127.002 | ClickOnce | |
| CM-08 | System Component Inventory | mitigates | T1127.002 | ClickOnce | |
| SI-10 | Information Input Validation | mitigates | T1127.002 | ClickOnce | |
| SI-07 | Software, Firmware, and Information Integrity | mitigates | T1127.002 | ClickOnce | |
| CM-02 | Baseline Configuration | mitigates | T1127.002 | ClickOnce | |
| CM-07 | Least Functionality | mitigates | T1127.002 | ClickOnce | |
| SI-04 | System Monitoring | mitigates | T1127.002 | ClickOnce |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.hacking.variety.Abuse of functionality | Abuse of functionality. | related-to | T1127.002 | ClickOnce | |
| action.hacking.variety.OS commanding | OS commanding. Child of 'Exploit vuln'. | related-to | T1127.002 | ClickOnce | |
| action.hacking.vector.Command shell | Remote shell | related-to | T1127.002 | ClickOnce |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| google_secops | Google Security Operations | technique_scores | T1127.002 | ClickOnce |
Comments
Google Security Operations triggers an alert based on common command line arguments for DFSVC.EXE which is used by adversaries to execute code through ClickOnce applications.
This technique was scored as minimal based on low or uncertain detection coverage factor.
https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/mixed_other/security/possible_msbuild_abuse__via_cmdline.yaral
References
|