Trusted Developer Utilities Proxy Execution: ClickOnce
Adversaries may use ClickOnce applications (.appref-ms and .application files) to proxy execution of code through a trusted Windows utility.(Citation: Burke/CISA ClickOnce BlackHat) ClickOnce is a deployment that enables a user to create self-updating Windows-based .NET applications (i.e, .XBAP, .EXE, or .DLL) that install and run from a file share or web page with minimal user interaction. The application launches as a child process of DFSVC.EXE, which is responsible for installing, launching, and updating the application.(Citation: SpectorOps Medium ClickOnce) Because ClickOnce applications receive only limited permissions, they do not require administrative permissions to install.(Citation: Microsoft Learn ClickOnce) As such, adversaries may abuse ClickOnce to proxy execution of malicious code without needing to escalate privileges. ClickOnce may be abused in a number of ways. For example, an adversary may rely on User Execution. When a user visits a malicious website, the .NET malware is disguised as legitimate software and a ClickOnce popup is displayed for installation.(Citation: NetSPI ClickOnce) Adversaries may also abuse ClickOnce to execute malware via a Rundll32 script using the command `rundll32.exe dfshim.dll,ShOpenVerbApplication1`.(Citation: LOLBAS /Dfsvc.exe) Additionally, an adversary can move the ClickOnce application file to a remote user’s startup folder for continued malicious code deployment (i.e., Registry Run Keys / Startup Folder).(Citation: Burke/CISA ClickOnce BlackHat)(Citation: Burke/CISA ClickOnce Paper)
Mitigations |
|
| Mitigation | Description |
|---|---|
| Disable or Remove Feature or Program |
Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries. |
| Restrict Web-Based Content |
Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc. |
| Code Signing |
Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing. |
References
- William Joseph Burke III. (2019, August 7). CLICKONCE AND YOU’RE IN: When .appref-ms abuse is operating as intended. Retrieved September 9, 2024.
- William J. Burke IV. (n.d.). Appref-ms Abuse for Code Execution & C2. Retrieved September 9, 2024.
- Ryan Gandrud. (2015, March 23). All You Need Is One – A ClickOnce Love Story. Retrieved September 9, 2024.
- Nick Powers. (2023, June 7). Less SmartScreen More Caffeine: (Ab)Using ClickOnce for Trusted Code Execution. Retrieved September 9, 2024.
- Microsoft. (2023, September 14). ClickOnce security and deployment. Retrieved September 9, 2024.
- LOLBAS. (n.d.). /Dfsvc.exe. Retrieved September 9, 2024.
- Microsoft. (2023, August 4). Configure the ClickOnce trust prompt behavior. Retrieved September 9, 2024.
- Microsoft. (2023, March 9). ClickOnce and Authenticode. Retrieved September 9, 2024.
Связанные риски
Каталоги
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.