Detect ClickOnce in Elastic Security
Adversaries may use ClickOnce applications (.appref-ms and .application files) to proxy execution of malicious code through DFSVC.EXE, a trusted Windows utility responsible for installing, launching, and updating ClickOnce .NET applications. Because ClickOnce applications operate under limited permissions, they do not require administrative privileges to install, making them attractive for unprivileged execution. Abuse vectors include: luring users to install trojanized ClickOnce apps from malicious websites, invoking ClickOnce directly via rundll32.exe with dfshim.dll,ShOpenVerbApplication1, and placing .appref-ms files in startup folders for persistence.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Sub-technique
- T1127.002 ClickOnce
- Canonical reference
- https://attack.mitre.org/techniques/T1127/002/
Elastic Detection Query
sequence by host.id with maxspan=5m
[any where event.category == "process" and
(
/* Branch 1: DFSVC.EXE spawning suspicious child processes */
(process.parent.name : "dfsvc.exe" and
process.name : ("cmd.exe", "powershell.exe", "pwsh.exe", "mshta.exe", "wscript.exe",
"cscript.exe", "regsvr32.exe", "rundll32.exe", "certutil.exe",
"bitsadmin.exe", "msbuild.exe", "csc.exe", "installutil.exe"))
or
/* Branch 2: rundll32.exe invoking dfshim.dll via ShOpenVerbApplication */
(process.name : "rundll32.exe" and
process.args : ("*dfshim*", "*ShOpenVerbApplication*"))
)
]
/* Branch 3: DFSVC.EXE outbound network connection to public IP */
sequence by host.id with maxspan=5m
[network where process.name : "dfsvc.exe" and
network.direction == "egress" and
not cidrmatch(destination.ip, "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "127.0.0.0/8", "::1/128")
]
/* Branch 4: .appref-ms or .application files written to suspicious paths */
[file where event.action in ("creation", "overwrite") and
file.extension in ("appref-ms", "application") and
(
file.path : ("*\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*",
"*\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*",
"*\\Temp\\*", "*\\tmp\\*", "*\\Downloads\\*")
)
]Detects ClickOnce abuse (T1127.002) across four behavioral patterns: DFSVC.EXE spawning suspicious LOLBin child processes, rundll32.exe loading dfshim.dll to invoke ClickOnce, DFSVC.EXE initiating outbound network connections to public IPs, and .appref-ms or .application files dropped to startup or temp locations for persistence.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate enterprise ClickOnce application deployments via DFSVC.EXE that spawn cmd.exe or PowerShell post-install for configuration tasks
- Internal IT tooling or software delivery pipelines that use rundll32.exe with dfshim.dll to programmatically install or update ClickOnce apps
- Security tools or EDR agents installed via ClickOnce that establish outbound connections during update checks or license validation
Other platforms for T1127.002
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1ClickOnce LOLBAS via Rundll32 dfshim.dll
Expected signal: Sysmon Event ID 1: Process Create with Image=rundll32.exe, CommandLine containing 'dfshim.dll,ShOpenVerbApplication1'. Sysmon Event ID 1: Child process DFSVC.EXE spawned by rundll32.exe. Sysmon Event ID 3: Network connection attempt from DFSVC.EXE to 127.0.0.1:8080. Security Event ID 4688 (if command line auditing enabled) for both rundll32.exe and dfsvc.exe.
- Test 2DFSVC.EXE Direct Invocation with Remote Manifest
Expected signal: Sysmon Event ID 1: Process Create for dfsvc.exe with command line containing the manifest URL. Sysmon Event ID 3: Outbound TCP connection attempt from dfsvc.exe to 127.0.0.1:8080. Windows Event Log Microsoft-Windows-ClickOnce/Operational: deployment activation event with the source URL.
- Test 3Malicious .appref-ms Placed in Startup Folder
Expected signal: Sysmon Event ID 11: File Create event with TargetFilename containing 'Startup\evil.appref-ms'. Sysmon Event ID 1: PowerShell process creating the file. The startup folder path will be: %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\evil.appref-ms.
- Test 4ClickOnce Cache Enumeration Simulating Post-Install Reconnaissance
Expected signal: Sysmon Event ID 1: PowerShell process with command line showing ClickOnce cache enumeration. Sysmon Event ID 11: File creation of clickonce_enum.txt in %TEMP%. Multiple Sysmon Event ID 10 (Process Access) events as PowerShell reads binaries in the cache directory.
References (7)
- https://attack.mitre.org/techniques/T1127/002/
- https://lolbas-project.github.io/lolbas/Binaries/Dfsvc/
- https://learn.microsoft.com/en-us/visualstudio/deployment/clickonce-security-and-deployment?view=vs-2022
- https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5
- https://www.netspi.com/blog/technical-blog/adversary-simulation/all-you-need-is-one-a-clickonce-love-story/
- https://i.blackhat.com/USA-19/Wednesday/us-19-Burke-ClickOnce-And-Youre-In-When-Appref-Ms-Abuse-Is-Operating-As-Intended-wp.pdf
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.002/T1127.002.md
Unlock Pro Content
Get the full detection package for T1127.002 including response playbook, investigation guide, and atomic red team tests.