T1127.002 Splunk · SPL

Detect ClickOnce in Splunk

Adversaries may use ClickOnce applications (.appref-ms and .application files) to proxy execution of malicious code through DFSVC.EXE, a trusted Windows utility responsible for installing, launching, and updating ClickOnce .NET applications. Because ClickOnce applications operate under limited permissions, they do not require administrative privileges to install, making them attractive for unprivileged execution. Abuse vectors include: luring users to install trojanized ClickOnce apps from malicious websites, invoking ClickOnce directly via rundll32.exe with dfshim.dll,ShOpenVerbApplication1, and placing .appref-ms files in startup folders for persistence.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1127 Trusted Developer Utilities Proxy Execution
Sub-technique
T1127.002 ClickOnce
Canonical reference
https://attack.mitre.org/techniques/T1127/002/

SPL Detection Query

Splunk (SPL)
spl 
index=wineventlog (
  (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1)
  OR
  (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11)
  OR
  (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=3)
)
| eval DetectionBranch=""
| eval RiskScore=0

``` Branch 1: DFSVC.EXE spawning suspicious children (EventCode=1) ```
| eval IsSuspiciousChild=if(
    EventCode=1 AND match(lower(ParentImage), "dfsvc\.exe") AND
    match(lower(Image), "(cmd\.exe|powershell\.exe|pwsh\.exe|mshta\.exe|wscript\.exe|cscript\.exe|regsvr32\.exe|rundll32\.exe|certutil\.exe|bitsadmin\.exe|msbuild\.exe|csc\.exe|installutil\.exe)"),
    1, 0)
| eval DetectionBranch=if(IsSuspiciousChild=1, "DfsvcSuspiciousChild", DetectionBranch)
| eval RiskScore=if(IsSuspiciousChild=1, 80, RiskScore)

``` Branch 2: rundll32 loading dfshim.dll via ShOpenVerbApplication (EventCode=1) ```
| eval IsDfshimAbuse=if(
    EventCode=1 AND match(lower(Image), "rundll32\.exe") AND
    (match(lower(CommandLine), "dfshim") OR match(lower(CommandLine), "shopenverbapplication")),
    1, 0)
| eval DetectionBranch=if(IsDfshimAbuse=1, "RundllDfshimAbuse", DetectionBranch)
| eval RiskScore=if(IsDfshimAbuse=1, 90, RiskScore)

``` Branch 3: DFSVC.EXE outbound network connections (EventCode=3) ```
| eval IsDfsvcNetwork=if(
    EventCode=3 AND match(lower(Image), "dfsvc\.exe") AND
    NOT (match(DestinationIp, "^10\.") OR match(DestinationIp, "^172\.(1[6-9]|2[0-9]|3[0-1])\.") OR
         match(DestinationIp, "^192\.168\.") OR match(DestinationIp, "^127\.")),
    1, 0)
| eval DetectionBranch=if(IsDfsvcNetwork=1, "DfsvcOutboundNetwork", DetectionBranch)
| eval RiskScore=if(IsDfsvcNetwork=1, 60, RiskScore)

``` Branch 4: .appref-ms or .application files in suspicious paths (EventCode=11) ```
| eval IsApprefInStartup=if(
    EventCode=11 AND
    (match(lower(TargetFilename), "\.appref-ms$") OR match(lower(TargetFilename), "\.application$")) AND
    (match(lower(TargetFilename), "startup") OR match(lower(TargetFilename), "\\temp\\") OR
     match(lower(TargetFilename), "\\tmp\\") OR match(lower(TargetFilename), "\\downloads\\")),
    1, 0)
| eval DetectionBranch=if(IsApprefInStartup=1, "ApprefSuspiciousLocation", DetectionBranch)
| eval RiskScore=if(IsApprefInStartup=1, 70, RiskScore)

| where RiskScore > 0
| eval TargetOrCommandLine=coalesce(TargetFilename, CommandLine)
| table _time, host, User, Image, TargetOrCommandLine, ParentImage, ParentCommandLine, DestinationIp, DestinationPort, DetectionBranch, RiskScore
| sort - RiskScore, - _time
high severity high confidence

Detects ClickOnce abuse using Sysmon Event IDs 1 (Process Create), 3 (Network Connection), and 11 (File Create). Four detection branches mirror the KQL logic: (1) DFSVC.EXE spawning LOLBins or shells as child processes — high-confidence indicator of malicious ClickOnce payload execution; (2) rundll32.exe referencing dfshim or ShOpenVerbApplication in the command line — direct LOLBAS invocation of the ClickOnce loader; (3) DFSVC.EXE making outbound connections to public IPs — potential remote .application manifest fetch; (4) .appref-ms or .application files created in startup or temp paths — persistence or staging. Results sorted by RiskScore descending to surface highest-priority events first.

Data Sources

Process: Process CreationNetwork Traffic: Network Connection CreationFile: File CreationSysmon Event ID 1Sysmon Event ID 3Sysmon Event ID 11

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • Legitimate enterprise ClickOnce applications where DFSVC.EXE spawns a known .NET EXE as an expected child process
  • Software update mechanisms using ClickOnce for self-updating desktop tools, causing routine DFSVC.EXE network connections to vendor update servers
  • Development or QA environments where .appref-ms shortcuts are routinely placed in temp or downloads directories during testing cycles
  • IT provisioning scripts that deploy .appref-ms files to startup folders for legitimate application launch-on-login scenarios
Download portable Sigma rule (.yml)

Other platforms for T1127.002

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1ClickOnce LOLBAS via Rundll32 dfshim.dll

    Expected signal: Sysmon Event ID 1: Process Create with Image=rundll32.exe, CommandLine containing 'dfshim.dll,ShOpenVerbApplication1'. Sysmon Event ID 1: Child process DFSVC.EXE spawned by rundll32.exe. Sysmon Event ID 3: Network connection attempt from DFSVC.EXE to 127.0.0.1:8080. Security Event ID 4688 (if command line auditing enabled) for both rundll32.exe and dfsvc.exe.

  2. Test 2DFSVC.EXE Direct Invocation with Remote Manifest

    Expected signal: Sysmon Event ID 1: Process Create for dfsvc.exe with command line containing the manifest URL. Sysmon Event ID 3: Outbound TCP connection attempt from dfsvc.exe to 127.0.0.1:8080. Windows Event Log Microsoft-Windows-ClickOnce/Operational: deployment activation event with the source URL.

  3. Test 3Malicious .appref-ms Placed in Startup Folder

    Expected signal: Sysmon Event ID 11: File Create event with TargetFilename containing 'Startup\evil.appref-ms'. Sysmon Event ID 1: PowerShell process creating the file. The startup folder path will be: %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\evil.appref-ms.

  4. Test 4ClickOnce Cache Enumeration Simulating Post-Install Reconnaissance

    Expected signal: Sysmon Event ID 1: PowerShell process with command line showing ClickOnce cache enumeration. Sysmon Event ID 11: File creation of clickonce_enum.txt in %TEMP%. Multiple Sysmon Event ID 10 (Process Access) events as PowerShell reads binaries in the cache directory.

Last updated: 2026-04-19 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1127.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1127Trusted Developer Utilities Proxy Execution

Related Sub-techniques

T1127.001MSBuildT1127.003JamPlus

Related Techniques

T1127Trusted Developer Utilities Proxy ExecutionT1204.001Malicious LinkT1204.002Malicious FileT1218.011Rundll32T1547.001Registry Run Keys / Startup FolderT1105Ingress Tool TransferT1059.001PowerShellT1027Obfuscated Files or InformationT1566.002Spearphishing Link

Same Tactic: Defense Evasion

Popular Detections