T1127.002

ClickOnce

Adversaries may use ClickOnce applications (.appref-ms and .application files) to proxy execution of malicious code through DFSVC.EXE, a trusted Windows utility responsible for installing, launching, and updating ClickOnce .NET applications. Because ClickOnce applications operate under limited permissions, they do not require administrative privileges to install, making them attractive for unprivileged execution. Abuse vectors include: luring users to install trojanized ClickOnce apps from malicious websites, invoking ClickOnce directly via rundll32.exe with dfshim.dll,ShOpenVerbApplication1, and placing .appref-ms files in startup folders for persistence.

Microsoft Sentinel / Defender

kusto

// Branch 1: DFSVC.EXE spawning suspicious child processes
let SuspiciousChildren = dynamic([
  "cmd.exe", "powershell.exe", "pwsh.exe", "mshta.exe", "wscript.exe",
  "cscript.exe", "regsvr32.exe", "rundll32.exe", "certutil.exe",
  "bitsadmin.exe", "msbuild.exe", "csc.exe", "installutil.exe"
]);
let ClickOnceExec = DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName =~ "dfsvc.exe"
| where FileName in~ (SuspiciousChildren)
| extend DetectionBranch = "DfsvcSuspiciousChild"
| extend RiskScore = 80;
// Branch 2: rundll32.exe invoking dfshim.dll ClickOnce loader
let DfshimAbuse = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "rundll32.exe"
| where ProcessCommandLine has_any ("dfshim", "ShOpenVerbApplication")
| extend DetectionBranch = "RundllDfshimAbuse"
| extend RiskScore = 90;
// Branch 3: DFSVC.EXE making outbound network connections
let DfsvcNetwork = DeviceNetworkEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName =~ "dfsvc.exe"
| where RemoteIPType == "Public"
| extend DetectionBranch = "DfsvcOutboundNetwork"
| extend RiskScore = 60
| project Timestamp, DeviceName, AccountName,
  FileName = InitiatingProcessFileName,
  ProcessCommandLine = InitiatingProcessCommandLine,
  InitiatingProcessFileName = "",
  InitiatingProcessCommandLine = "",
  DetectionBranch, RiskScore,
  RemoteUrl, RemoteIP, RemotePort;
// Branch 4: .appref-ms files written to startup or temp locations
let ApprefInStartup = DeviceFileEvents
| where Timestamp > ago(24h)
| where FileName endswith ".appref-ms" or FileName endswith ".application"
| where FolderPath has_any (
    "\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup",
    "\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup",
    "\\Temp\\", "\\tmp\\", "\\Downloads\\"
  )
| extend DetectionBranch = "ApprefSuspiciousLocation"
| extend RiskScore = 70
| project Timestamp, DeviceName, AccountName = RequestAccountName,
  FileName, ProcessCommandLine = InitiatingProcessCommandLine,
  InitiatingProcessFileName, InitiatingProcessCommandLine,
  DetectionBranch, RiskScore,
  RemoteUrl = "", RemoteIP = "", RemotePort = int(null);
union kind=outer
  (ClickOnceExec | project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionBranch, RiskScore, RemoteUrl="", RemoteIP="", RemotePort=int(null)),
  DfshimAbuse | project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionBranch, RiskScore, RemoteUrl="", RemoteIP="", RemotePort=int(null),
  DfsvcNetwork,
  ApprefInStartup
| sort by Timestamp desc

high severity high confidence

Data Sources

Process: Process Creation Network Traffic: Network Connection Creation File: File Creation Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents DeviceNetworkEvents DeviceFileEvents

False Positives

Legitimate enterprise ClickOnce applications (internal LOB apps deployed via SharePoint or intranet) where DFSVC.EXE spawns an expected child process
Software update mechanisms that use ClickOnce for self-updating .NET desktop applications (e.g., Visual Studio extensions, internal tooling)
Development environments where developers test ClickOnce packages locally, causing DFSVC.EXE network activity to localhost or internal servers
IT deployment tools that distribute .appref-ms shortcuts to user desktops or startup folders as part of legitimate software rollout

Splunk

spl

index=wineventlog (
  (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1)
  OR
  (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11)
  OR
  (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=3)
)
| eval DetectionBranch=""
| eval RiskScore=0

``` Branch 1: DFSVC.EXE spawning suspicious children (EventCode=1) ```
| eval IsSuspiciousChild=if(
    EventCode=1 AND match(lower(ParentImage), "dfsvc\.exe") AND
    match(lower(Image), "(cmd\.exe|powershell\.exe|pwsh\.exe|mshta\.exe|wscript\.exe|cscript\.exe|regsvr32\.exe|rundll32\.exe|certutil\.exe|bitsadmin\.exe|msbuild\.exe|csc\.exe|installutil\.exe)"),
    1, 0)
| eval DetectionBranch=if(IsSuspiciousChild=1, "DfsvcSuspiciousChild", DetectionBranch)
| eval RiskScore=if(IsSuspiciousChild=1, 80, RiskScore)

``` Branch 2: rundll32 loading dfshim.dll via ShOpenVerbApplication (EventCode=1) ```
| eval IsDfshimAbuse=if(
    EventCode=1 AND match(lower(Image), "rundll32\.exe") AND
    (match(lower(CommandLine), "dfshim") OR match(lower(CommandLine), "shopenverbapplication")),
    1, 0)
| eval DetectionBranch=if(IsDfshimAbuse=1, "RundllDfshimAbuse", DetectionBranch)
| eval RiskScore=if(IsDfshimAbuse=1, 90, RiskScore)

``` Branch 3: DFSVC.EXE outbound network connections (EventCode=3) ```
| eval IsDfsvcNetwork=if(
    EventCode=3 AND match(lower(Image), "dfsvc\.exe") AND
    NOT (match(DestinationIp, "^10\.") OR match(DestinationIp, "^172\.(1[6-9]|2[0-9]|3[0-1])\.") OR
         match(DestinationIp, "^192\.168\.") OR match(DestinationIp, "^127\.")),
    1, 0)
| eval DetectionBranch=if(IsDfsvcNetwork=1, "DfsvcOutboundNetwork", DetectionBranch)
| eval RiskScore=if(IsDfsvcNetwork=1, 60, RiskScore)

``` Branch 4: .appref-ms or .application files in suspicious paths (EventCode=11) ```
| eval IsApprefInStartup=if(
    EventCode=11 AND
    (match(lower(TargetFilename), "\.appref-ms$") OR match(lower(TargetFilename), "\.application$")) AND
    (match(lower(TargetFilename), "startup") OR match(lower(TargetFilename), "\\temp\\") OR
     match(lower(TargetFilename), "\\tmp\\") OR match(lower(TargetFilename), "\\downloads\\")),
    1, 0)
| eval DetectionBranch=if(IsApprefInStartup=1, "ApprefSuspiciousLocation", DetectionBranch)
| eval RiskScore=if(IsApprefInStartup=1, 70, RiskScore)

| where RiskScore > 0
| eval TargetOrCommandLine=coalesce(TargetFilename, CommandLine)
| table _time, host, User, Image, TargetOrCommandLine, ParentImage, ParentCommandLine, DestinationIp, DestinationPort, DetectionBranch, RiskScore
| sort - RiskScore, - _time

high severity high confidence

Data Sources

Process: Process Creation Network Traffic: Network Connection Creation File: File Creation Sysmon Event ID 1 Sysmon Event ID 3 Sysmon Event ID 11

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Legitimate enterprise ClickOnce applications where DFSVC.EXE spawns a known .NET EXE as an expected child process
Software update mechanisms using ClickOnce for self-updating desktop tools, causing routine DFSVC.EXE network connections to vendor update servers
Development or QA environments where .appref-ms shortcuts are routinely placed in temp or downloads directories during testing cycles
IT provisioning scripts that deploy .appref-ms files to startup folders for legitimate application launch-on-login scenarios

Elastic Security (EQL)

eql

sequence by host.id with maxspan=5m
  [any where event.category == "process" and
   (
     /* Branch 1: DFSVC.EXE spawning suspicious child processes */
     (process.parent.name : "dfsvc.exe" and
      process.name : ("cmd.exe", "powershell.exe", "pwsh.exe", "mshta.exe", "wscript.exe",
                      "cscript.exe", "regsvr32.exe", "rundll32.exe", "certutil.exe",
                      "bitsadmin.exe", "msbuild.exe", "csc.exe", "installutil.exe"))
     or
     /* Branch 2: rundll32.exe invoking dfshim.dll via ShOpenVerbApplication */
     (process.name : "rundll32.exe" and
      process.args : ("*dfshim*", "*ShOpenVerbApplication*"))
   )
  ]

/* Branch 3: DFSVC.EXE outbound network connection to public IP */
sequence by host.id with maxspan=5m
  [network where process.name : "dfsvc.exe" and
   network.direction == "egress" and
   not cidrmatch(destination.ip, "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "127.0.0.0/8", "::1/128")
  ]

/* Branch 4: .appref-ms or .application files written to suspicious paths */
[file where event.action in ("creation", "overwrite") and
  file.extension in ("appref-ms", "application") and
  (
    file.path : ("*\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*",
                  "*\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*",
                  "*\\Temp\\*", "*\\tmp\\*", "*\\Downloads\\*")
  )
]

high severity high confidence

Data Sources

Elastic Endpoint Windows Event Logs Sysmon via Elastic Agent

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.network-* logs-endpoint.events.file-* winlogbeat-*

False Positives

Legitimate enterprise ClickOnce application deployments via DFSVC.EXE that spawn cmd.exe or PowerShell post-install for configuration tasks
Internal IT tooling or software delivery pipelines that use rundll32.exe with dfshim.dll to programmatically install or update ClickOnce apps
Security tools or EDR agents installed via ClickOnce that establish outbound connections during update checks or license validation

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  sourceip,
  username,
  "Image" AS process_image,
  "CommandLine" AS command_line,
  "ParentImage" AS parent_image,
  "TargetFilename" AS target_filename,
  "DestinationIp" AS destination_ip,
  "DestinationPort" AS destination_port,
  CASE
    WHEN LOWER("ParentImage") LIKE '%dfsvc.exe%' AND
         LOWER("Image") SIMILAR TO '%(cmd\.exe|powershell\.exe|pwsh\.exe|mshta\.exe|wscript\.exe|cscript\.exe|regsvr32\.exe|rundll32\.exe|certutil\.exe|bitsadmin\.exe|msbuild\.exe|csc\.exe|installutil\.exe)%'
      THEN 'DfsvcSuspiciousChild'
    WHEN LOWER("Image") LIKE '%rundll32.exe%' AND
         (LOWER("CommandLine") LIKE '%dfshim%' OR LOWER("CommandLine") LIKE '%shopenverbapplication%')
      THEN 'RundllDfshimAbuse'
    WHEN LOWER("Image") LIKE '%dfsvc.exe%' AND
         "DestinationIp" IS NOT NULL AND
         NOT ("DestinationIp" LIKE '10.%' OR
              "DestinationIp" LIKE '192.168.%' OR
              "DestinationIp" LIKE '127.%' OR
              LONG(SPLIT("DestinationIp", '.', 1)) BETWEEN 172 AND 172 AND
              LONG(SPLIT("DestinationIp", '.', 2)) BETWEEN 16 AND 31)
      THEN 'DfsvcOutboundNetwork'
    WHEN (LOWER("TargetFilename") LIKE '%.appref-ms%' OR LOWER("TargetFilename") LIKE '%.application%') AND
         (LOWER("TargetFilename") LIKE '%startup%' OR
          LOWER("TargetFilename") LIKE '%\\temp\\%' OR
          LOWER("TargetFilename") LIKE '%\\tmp\\%' OR
          LOWER("TargetFilename") LIKE '%\\downloads\\%')
      THEN 'ApprefSuspiciousLocation'
    ELSE 'Unknown'
  END AS detection_branch
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) LIKE '%Windows%'
  AND starttime > NOW() - 86400000
  AND (
    /* Branch 1 */
    (LOWER("ParentImage") LIKE '%dfsvc.exe%' AND
     LOWER("Image") SIMILAR TO '%(cmd\.exe|powershell\.exe|pwsh\.exe|mshta\.exe|wscript\.exe|cscript\.exe|regsvr32\.exe|rundll32\.exe|certutil\.exe|bitsadmin\.exe|msbuild\.exe|csc\.exe|installutil\.exe)%')
    OR
    /* Branch 2 */
    (LOWER("Image") LIKE '%rundll32.exe%' AND
     (LOWER("CommandLine") LIKE '%dfshim%' OR LOWER("CommandLine") LIKE '%shopenverbapplication%'))
    OR
    /* Branch 3 */
    (LOWER("Image") LIKE '%dfsvc.exe%' AND
     "DestinationIp" IS NOT NULL AND
     NOT ("DestinationIp" LIKE '10.%' OR "DestinationIp" LIKE '192.168.%' OR "DestinationIp" LIKE '127.%'))
    OR
    /* Branch 4 */
    ((LOWER("TargetFilename") LIKE '%.appref-ms%' OR LOWER("TargetFilename") LIKE '%.application%') AND
     (LOWER("TargetFilename") LIKE '%startup%' OR LOWER("TargetFilename") LIKE '%\\temp\\%' OR
      LOWER("TargetFilename") LIKE '%\\tmp\\%' OR LOWER("TargetFilename") LIKE '%\\downloads\\%'))
  )
ORDER BY starttime DESC

high severity medium confidence

Data Sources

IBM QRadar SIEM Windows Sysmon via QRadar WinCollect Microsoft Windows Security Event Log

Required Tables

events

False Positives

Enterprise software provisioning systems that deploy applications via ClickOnce and invoke post-install scripts through DFSVC.EXE
Developer workstations where .NET developers frequently test ClickOnce-packaged applications and dfshim.dll invocations are routine
Update mechanisms for legitimate ClickOnce-distributed business applications that connect outbound to vendor update servers

Sumo Logic CSE

sql

(_sourceCategory="windows/sysmon" OR _sourceCategory="os/windows/sysmon")
| json auto
| where EventID in ("1", "3", "11")
// Branch 1: DFSVC.EXE spawning suspicious children (EventID=1)
| eval IsSuspiciousChild = if(
    EventID = "1"
    AND matches(toLowerCase(ParentImage), ".*dfsvc\.exe.*")
    AND matches(toLowerCase(Image), ".*(cmd\.exe|powershell\.exe|pwsh\.exe|mshta\.exe|wscript\.exe|cscript\.exe|regsvr32\.exe|rundll32\.exe|certutil\.exe|bitsadmin\.exe|msbuild\.exe|csc\.exe|installutil\.exe).*"),
    1, 0)
// Branch 2: rundll32 loading dfshim via ShOpenVerbApplication (EventID=1)
| eval IsDfshimAbuse = if(
    EventID = "1"
    AND matches(toLowerCase(Image), ".*rundll32\.exe.*")
    AND (matches(toLowerCase(CommandLine), ".*dfshim.*") OR matches(toLowerCase(CommandLine), ".*shopenverbapplication.*")),
    1, 0)
// Branch 3: DFSVC.EXE outbound network to public IP (EventID=3)
| eval IsDfsvcNetwork = if(
    EventID = "3"
    AND matches(toLowerCase(Image), ".*dfsvc\.exe.*")
    AND !matches(DestinationIp, "^(10\\.|172\\.(1[6-9]|2[0-9]|3[01])\\.|192\\.168\\.|127\\.)"),
    1, 0)
// Branch 4: .appref-ms or .application in suspicious paths (EventID=11)
| eval IsApprefInStartup = if(
    EventID = "11"
    AND (matches(toLowerCase(TargetFilename), ".*\\.appref-ms$") OR matches(toLowerCase(TargetFilename), ".*\\.application$"))
    AND (matches(toLowerCase(TargetFilename), ".*startup.*")
         OR matches(toLowerCase(TargetFilename), ".*\\\\temp\\\\.*")
         OR matches(toLowerCase(TargetFilename), ".*\\\\tmp\\\\.*")
         OR matches(toLowerCase(TargetFilename), ".*\\\\downloads\\\\.*")),
    1, 0)
| eval DetectionBranch = if(IsSuspiciousChild=1, "DfsvcSuspiciousChild",
    if(IsDfshimAbuse=1, "RundllDfshimAbuse",
    if(IsDfsvcNetwork=1, "DfsvcOutboundNetwork",
    if(IsApprefInStartup=1, "ApprefSuspiciousLocation", ""))))
| eval RiskScore = if(IsSuspiciousChild=1, 80,
    if(IsDfshimAbuse=1, 90,
    if(IsDfsvcNetwork=1, 60,
    if(IsApprefInStartup=1, 70, 0))))
| where RiskScore > 0
| eval TargetOrCommandLine = if(isNull(TargetFilename), CommandLine, TargetFilename)
| fields _messageTime, Computer, User, Image, TargetOrCommandLine, ParentImage, ParentCommandLine, DestinationIp, DestinationPort, DetectionBranch, RiskScore
| sort by RiskScore desc, _messageTime desc

high severity high confidence

Data Sources

Windows Sysmon Sumo Logic Installed Collector (Windows)

Required Tables

_sourceCategory=windows/sysmon _sourceCategory=os/windows/sysmon

False Positives

Automated software deployment pipelines using ClickOnce to push .NET applications that spawn cmd.exe or PowerShell for post-installation configuration
IT administrators manually invoking rundll32.exe with dfshim.dll to test or troubleshoot ClickOnce application installs
Legitimate business applications distributed via ClickOnce that create .appref-ms shortcut files in the user's Downloads directory during initial installation

Google Chronicle / SecOps

yaral

rule clickonce_dfsvc_abuse_t1127002 {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects ClickOnce (T1127.002) abuse: DFSVC.EXE spawning LOLBin children, rundll32 loading dfshim.dll, DFSVC.EXE outbound network, and .appref-ms persistence"
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1127.002"
    severity = "HIGH"
    confidence = "HIGH"

  events:
    (
      /* Branch 1: DFSVC.EXE spawning suspicious child processes */
      (
        $e.metadata.event_type = "PROCESS_LAUNCH"
        and re.regex($e.principal.process.file.full_path, `(?i)dfsvc\.exe$`)
        and re.regex($e.target.process.file.full_path,
          `(?i)(cmd\.exe|powershell\.exe|pwsh\.exe|mshta\.exe|wscript\.exe|cscript\.exe|regsvr32\.exe|rundll32\.exe|certutil\.exe|bitsadmin\.exe|msbuild\.exe|csc\.exe|installutil\.exe)$`)
      )
      or
      /* Branch 2: rundll32.exe invoking dfshim.dll ShOpenVerbApplication */
      (
        $e.metadata.event_type = "PROCESS_LAUNCH"
        and re.regex($e.target.process.file.full_path, `(?i)rundll32\.exe$`)
        and (
          re.regex($e.target.process.command_line, `(?i)dfshim`) or
          re.regex($e.target.process.command_line, `(?i)ShOpenVerbApplication`)
        )
      )
      or
      /* Branch 3: DFSVC.EXE making outbound network connections to public IPs */
      (
        $e.metadata.event_type = "NETWORK_CONNECTION"
        and re.regex($e.principal.process.file.full_path, `(?i)dfsvc\.exe$`)
        and not net.ip_in_range_cidr($e.target.ip, "10.0.0.0/8")
        and not net.ip_in_range_cidr($e.target.ip, "172.16.0.0/12")
        and not net.ip_in_range_cidr($e.target.ip, "192.168.0.0/16")
        and not net.ip_in_range_cidr($e.target.ip, "127.0.0.0/8")
      )
      or
      /* Branch 4: .appref-ms or .application files written to startup/temp */
      (
        $e.metadata.event_type = "FILE_CREATION"
        and (
          re.regex($e.target.file.full_path, `(?i)\.appref-ms$`) or
          re.regex($e.target.file.full_path, `(?i)\.application$`)
        )
        and (
          re.regex($e.target.file.full_path, `(?i)startup`) or
          re.regex($e.target.file.full_path, `(?i)\\temp\\`) or
          re.regex($e.target.file.full_path, `(?i)\\tmp\\`) or
          re.regex($e.target.file.full_path, `(?i)\\downloads\\'`)
        )
      )
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle Windows Sysmon via Chronicle Forwarder Microsoft Defender for Endpoint via Chronicle

Required Tables

PROCESS_LAUNCH NETWORK_CONNECTION FILE_CREATION

False Positives

Enterprise-managed ClickOnce application deployments where DFSVC.EXE legitimately spawns PowerShell for custom post-install hooks defined by the application vendor
Software packaging or repackaging tools that invoke rundll32.exe with dfshim.dll to convert or validate ClickOnce manifests in a development or QA environment
SaaS applications distributed as ClickOnce packages that create .appref-ms files in the Downloads folder as part of a first-run user experience flow

CrowdStrike LogScale (CQL)

cql

// Branch 1: DFSVC.EXE spawning suspicious child processes
#event_simpleName=ProcessRollup2
| ParentBaseFileName = /dfsvc\.exe/i
| ImageFileName = /(cmd\.exe|powershell\.exe|pwsh\.exe|mshta\.exe|wscript\.exe|cscript\.exe|regsvr32\.exe|rundll32\.exe|certutil\.exe|bitsadmin\.exe|msbuild\.exe|csc\.exe|installutil\.exe)/i
| eval DetectionBranch = "DfsvcSuspiciousChild"
| eval RiskScore = 80
| table([timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, ParentCommandLine, DetectionBranch, RiskScore])

// Union Branch 2: rundll32.exe loading dfshim.dll
| union [
  #event_simpleName=ProcessRollup2
  | ImageFileName = /rundll32\.exe/i
  | CommandLine = /(dfshim|ShOpenVerbApplication)/i
  | eval DetectionBranch = "RundllDfshimAbuse"
  | eval RiskScore = 90
  | table([timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, ParentCommandLine, DetectionBranch, RiskScore])
]

// Union Branch 3: DFSVC.EXE outbound network connections to public IPs
| union [
  #event_simpleName=NetworkConnectIP4
  | ImageFileName = /dfsvc\.exe/i
  | !RemoteIP = /^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.)/
  | eval DetectionBranch = "DfsvcOutboundNetwork"
  | eval RiskScore = 60
  | eval CommandLine = ""
  | eval ParentBaseFileName = ""
  | eval ParentCommandLine = ""
  | table([timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, ParentCommandLine, RemoteIP, RemotePort, DetectionBranch, RiskScore])
]

// Union Branch 4: .appref-ms or .application files written to suspicious paths
| union [
  #event_simpleName=PeFileWritten OR #event_simpleName=DocumentWritten
  | TargetFileName = /\.(appref-ms|application)$/i
  | TargetFileName = /(Startup|\\Temp\\|\\tmp\\|\\Downloads\\)/i
  | eval DetectionBranch = "ApprefSuspiciousLocation"
  | eval RiskScore = 70
  | eval CommandLine = TargetFileName
  | eval ParentBaseFileName = ""
  | eval ParentCommandLine = ""
  | table([timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, ParentCommandLine, DetectionBranch, RiskScore])
]

| sort(RiskScore, order=desc)
| sort(timestamp, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Protection CrowdStrike Falcon Insight XDR

Required Tables

ProcessRollup2 NetworkConnectIP4 PeFileWritten DocumentWritten

False Positives

Falcon-managed endpoints running legitimate enterprise ClickOnce applications where DFSVC.EXE routinely spawns child processes for update checks or configuration scripts authorized by the app vendor
Developer machines with Visual Studio or .NET toolchains where ClickOnce manifest testing involves rundll32.exe and dfshim.dll as part of the build-and-test workflow
Endpoint management tools (e.g., SCCM, Intune supplementary agents) that distribute software via ClickOnce and write .appref-ms shortcuts to user startup folders during provisioning

Last updated: 2026-04-19 Research depth: deep

References (7)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1127.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

ClickOnce

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections