MITRE ATT&CK Technique
Description
Adversaries may use ClickOnce applications (.appref-ms and .application files) to proxy execution of code through a trusted Windows utility.(Citation: Burke/CISA ClickOnce BlackHat) ClickOnce is a deployment that enables a user to create self-updating Windows-based .NET applications (i.e, .XBAP, .EXE, or .DLL) that install and run from a file share or web page with minimal user interaction. The application launches as a child process of DFSVC.EXE, which is responsible for installing, launching, and updating the application.(Citation: SpectorOps Medium ClickOnce) Because ClickOnce applications receive only limited permissions, they do not require administrative permissions to install.(Citation: Microsoft Learn ClickOnce) As such, adversaries may abuse ClickOnce to proxy execution of malicious code without needing to escalate privileges. ClickOnce may be abused in a number of ways. For example, an adversary may rely on [User Execution](https://attack.mitre.org/techniques/T1204). When a user visits a malicious website, the .NET malware is disguised as legitimate software and a ClickOnce popup is displayed for installation.(Citation: NetSPI ClickOnce) Adversaries may also abuse ClickOnce to execute malware via a [Rundll32](https://attack.mitre.org/techniques/T1218/011) script using the command `rundll32.exe dfshim.dll,ShOpenVerbApplication1`.(Citation: LOLBAS /Dfsvc.exe) Additionally, an adversary can move the ClickOnce application file to a remote user’s startup folder for continued malicious code deployment (i.e., [Registry Run Keys / Startup Folder](https://attack.mitre.org/techniques/T1547/001)).(Citation: Burke/CISA ClickOnce BlackHat)(Citation: Burke/CISA ClickOnce Paper)
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2024-09-09T14:39:28.637Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may use ClickOnce applications (.appref-ms and '
'.application files) to proxy execution of code through a '
'trusted Windows utility.(Citation: Burke/CISA ClickOnce '
'BlackHat) ClickOnce is a deployment that enables a user to '
'create self-updating Windows-based .NET applications (i.e, '
'.XBAP, .EXE, or .DLL) that install and run from a file share '
'or web page with minimal user interaction. The application '
'launches as a child process of DFSVC.EXE, which is '
'responsible for installing, launching, and updating the '
'application.(Citation: SpectorOps Medium ClickOnce)\n'
'\n'
'Because ClickOnce applications receive only limited '
'permissions, they do not require administrative permissions '
'to install.(Citation: Microsoft Learn ClickOnce) As such, '
'adversaries may abuse ClickOnce to proxy execution of '
'malicious code without needing to escalate privileges.\n'
'\n'
'ClickOnce may be abused in a number of ways. For example, an '
'adversary may rely on [User '
'Execution](https://attack.mitre.org/techniques/T1204). When a '
'user visits a malicious website, the .NET malware is '
'disguised as legitimate software and a ClickOnce popup is '
'displayed for installation.(Citation: NetSPI ClickOnce)\n'
'\n'
'Adversaries may also abuse ClickOnce to execute malware via a '
'[Rundll32](https://attack.mitre.org/techniques/T1218/011) '
'script using the command `rundll32.exe '
'dfshim.dll,ShOpenVerbApplication1`.(Citation: LOLBAS '
'/Dfsvc.exe)\n'
'\n'
'Additionally, an adversary can move the ClickOnce application '
'file to a remote user’s startup folder for continued '
'malicious code deployment (i.e., [Registry Run Keys / Startup '
'Folder](https://attack.mitre.org/techniques/T1547/001)).(Citation: '
'Burke/CISA ClickOnce BlackHat)(Citation: Burke/CISA ClickOnce '
'Paper)',
'external_references': [{'external_id': 'T1127.002',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1127/002'},
{'description': 'LOLBAS. (n.d.). /Dfsvc.exe. '
'Retrieved September 9, 2024.',
'source_name': 'LOLBAS /Dfsvc.exe',
'url': 'https://lolbas-project.github.io/lolbas/Binaries/Dfsvc/'},
{'description': 'Microsoft. (2023, September 14). '
'ClickOnce security and deployment. '
'Retrieved September 9, 2024.',
'source_name': 'Microsoft Learn ClickOnce',
'url': 'https://learn.microsoft.com/en-us/visualstudio/deployment/clickonce-security-and-deployment?view=vs-2022'},
{'description': 'Nick Powers. (2023, June 7). Less '
'SmartScreen More Caffeine: (Ab)Using '
'ClickOnce for Trusted Code '
'Execution. Retrieved September 9, '
'2024.',
'source_name': 'SpectorOps Medium ClickOnce',
'url': 'https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5'},
{'description': 'Ryan Gandrud. (2015, March 23). All '
'You Need Is One – A ClickOnce Love '
'Story. Retrieved September 9, 2024.',
'source_name': 'NetSPI ClickOnce',
'url': 'https://www.netspi.com/blog/technical-blog/adversary-simulation/all-you-need-is-one-a-clickonce-love-story/'},
{'description': 'William J. Burke IV. (n.d.). '
'Appref-ms Abuse for Code Execution '
'& C2. Retrieved September 9, 2024.',
'source_name': 'Burke/CISA ClickOnce Paper',
'url': 'https://i.blackhat.com/USA-19/Wednesday/us-19-Burke-ClickOnce-And-Youre-In-When-Appref-Ms-Abuse-Is-Operating-As-Intended-wp.pdf?_gl=1*1jv89bf*_gcl_au*NjAyMzkzMjc3LjE3MjQ4MDk4OTQ.*_ga*MTk5OTA3ODkwMC4xNzI0ODA5ODk0*_ga_K4JK67TFYV*MTcyNDgwOTg5NC4xLjEuMTcyNDgwOTk1Ny4wLjAuMA..&_ga=2.256219723.1512103758.1724809895-1999078900.1724809894'},
{'description': 'William Joseph Burke III. (2019, '
'August 7). CLICKONCE AND YOU’RE IN: '
'When .appref-ms abuse is operating '
'as intended. Retrieved September 9, '
'2024.',
'source_name': 'Burke/CISA ClickOnce BlackHat',
'url': 'https://i.blackhat.com/USA-19/Wednesday/us-19-Burke-ClickOnce-And-Youre-In-When-Appref-Ms-Abuse-Is-Operating-As-Intended.pdf?_gl=1*16njas6*_gcl_au*NjAyMzkzMjc3LjE3MjQ4MDk4OTQ.*_ga*MTk5OTA3ODkwMC4xNzI0ODA5ODk0*_ga_K4JK67TFYV*MTcyNDgwOTg5NC4xLjEuMTcyNDgwOTk1Ny4wLjAuMA..&_ga=2.253743689.1512103758.1724809895-1999078900.1724809894'}],
'id': 'attack-pattern--cc279e50-df85-4c8e-be80-6dc2eda8849c',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'defense-evasion'}],
'modified': '2025-04-15T19:59:08.154Z',
'name': 'ClickOnce',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Wirapong Petshagun'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': True,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Windows'],
'x_mitre_version': '1.1'}