title: ClickOnce (T1127.002)
id: df00tech-t1127-002
status: experimental
description: "Adversaries may use ClickOnce applications (.appref-ms and .application files) to proxy execution of malicious code through DFSVC.EXE, a trusted Windows utility responsible for installing, launching, and updating ClickOnce .NET applications. Because ClickOnce applications operate under limited permissions, they do not require administrative privileges to install, making them attractive for unprivileged execution. Abuse vectors include: luring users to install trojanized ClickOnce apps from malicious websites, invoking ClickOnce directly via rundll32.exe with dfshim.dll,ShOpenVerbApplication1, and placing .appref-ms files in startup folders for persistence."
references:
  - https://attack.mitre.org/techniques/T1127/002/
  - https://df00tech.com/detections/T1127.002
author: df00tech
date: 2026/04/19
tags:
  - attack.t1127.002
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Legitimate enterprise ClickOnce applications (internal LOB apps deployed via SharePoint or intranet) where DFSVC.EXE spawns an expected child process
  - "Software update mechanisms that use ClickOnce for self-updating .NET desktop applications (e.g., Visual Studio extensions, internal tooling)"
  - "Development environments where developers test ClickOnce packages locally, causing DFSVC.EXE network activity to localhost or internal servers"
  - IT deployment tools that distribute .appref-ms shortcuts to user desktops or startup folders as part of legitimate software rollout
level: high