T1127.002 ClickOnce

Adversaries may use ClickOnce applications (.appref-ms and .application files) to proxy execution of code through a trusted Windows utility.(Citation: Burke/CISA ClickOnce BlackHat) ClickOnce is a deployment that enables a user to create self-updating Windows-based .NET applications (i.e, .XBAP, .EXE, or .DLL) that install and run from a file share or web page with minimal user interaction. The application launches as a child process of DFSVC.EXE, which is responsible for installing, launching, and updating the application.(Citation: SpectorOps Medium ClickOnce)

Because ClickOnce applications receive only limited permissions, they do not require administrative permissions to install.(Citation: Microsoft Learn ClickOnce) As such, adversaries may abuse ClickOnce to proxy execution of malicious code without needing to escalate privileges.

ClickOnce may be abused in a number of ways. For example, an adversary may rely on User Execution. When a user visits a malicious website, the .NET malware is disguised as legitimate software and a ClickOnce popup is displayed for installation.(Citation: NetSPI ClickOnce)

Adversaries may also abuse ClickOnce to execute malware via a Rundll32 script using the command rundll32.exe dfshim.dll,ShOpenVerbApplication1.(Citation: LOLBAS /Dfsvc.exe)

Additionally, an adversary can move the ClickOnce application file to a remote user’s startup folder for continued malicious code deployment (i.e., Registry Run Keys / Startup Folder).(Citation: Burke/CISA ClickOnce BlackHat)(Citation: Burke/CISA ClickOnce Paper)

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
DE.CM-09.01 Software and data integrity checking Mitigates T1127.002 ClickOnce
Comments
This diagnostic statement protects against ClickOnce through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures.
References
    PR.PS-01.03 Configuration deviation Mitigates T1127.002 ClickOnce
    Comments
    This diagnostic statement provides protection from Trusted Developer Utilities Proxy Execution: ClickOnce through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations.
    References
      PR.PS-05.02 Mobile code prevention Mitigates T1127.002 ClickOnce
      Comments
      Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source.
      References

        NIST 800-53 Mappings

        Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
        CM-06 Configuration Settings mitigates T1127.002 ClickOnce
        AC-17 Remote Access mitigates T1127.002 ClickOnce
        SC-18 Mobile Code mitigates T1127.002 ClickOnce
        RA-05 Vulnerability Monitoring and Scanning mitigates T1127.002 ClickOnce
        CM-08 System Component Inventory mitigates T1127.002 ClickOnce
        SI-10 Information Input Validation mitigates T1127.002 ClickOnce
        SI-07 Software, Firmware, and Information Integrity mitigates T1127.002 ClickOnce
        CM-02 Baseline Configuration mitigates T1127.002 ClickOnce
        CM-07 Least Functionality mitigates T1127.002 ClickOnce
        SI-04 System Monitoring mitigates T1127.002 ClickOnce

        VERIS Mappings

        Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
        action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1127.002 ClickOnce
        action.hacking.variety.OS commanding OS commanding. Child of 'Exploit vuln'. related-to T1127.002 ClickOnce
        action.hacking.vector.Command shell Remote shell related-to T1127.002 ClickOnce

        GCP Mappings

        Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
        google_secops Google Security Operations technique_scores T1127.002 ClickOnce
        Comments
        Google Security Operations triggers an alert based on common command line arguments for DFSVC.EXE which is used by adversaries to execute code through ClickOnce applications. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/mixed_other/security/possible_msbuild_abuse__via_cmdline.yaral
        References