AN0550: Analytic 0550
Abuse of ClickOnce applications where rundll32.exe invokes dfshim.dll with ShOpenVerbApplication or dfsvc.exe spawns unexpected child processes or loads unsigned modules.
Analyst context for executives and security teams
This analytic matters because ClickOnce application behavior can blur the line between legitimate Windows application deployment and suspicious execution. For leaders, the practical issue is whether the organization can distinguish normal ClickOnce use from abuse patterns involving rundll32.exe, dfshim.dll, dfsvc.exe, unexpected child processes, or unsigned module loads on Windows systems.
Executive priority
Prioritize this where Windows endpoints support business-critical workflows or where ClickOnce is used for internal or third-party application delivery. The decision value is validating whether SOC and incident response teams have enough endpoint visibility to investigate suspicious application launch chains without disrupting legitimate software operations. It can also support audit and control evidence around endpoint monitoring, application execution visibility, and unsigned code review.
Technical view
For SOC, detection engineering, and IR teams, validate telemetry for Windows process creation and module load activity related to ClickOnce components. The supplied analytic describes two suspicious patterns: rundll32.exe invoking dfshim.dll with ShOpenVerbApplication, and dfsvc.exe spawning unexpected child processes or loading unsigned modules. Because no ATT&CK tactic, technique relationship, or official detection logic is supplied, teams should treat this as a behavior-focused validation item rather than a complete detection rule.
Likely telemetry
- Windows process creation events showing parent/child process relationships
- Command-line telemetry for rundll32.exe invocation of dfshim.dll and ShOpenVerbApplication
- Module load telemetry for dfsvc.exe and related loaded DLLs
- Code signing or file reputation metadata for modules loaded by dfsvc.exe
- Endpoint detection and response records for ClickOnce-related process trees
Detection direction
- Baseline legitimate ClickOnce usage before alerting aggressively, especially where business applications rely on ClickOnce deployment.
- Review rundll32.exe executions that reference dfshim.dll and ShOpenVerbApplication for unusual user, host, path, or timing context.
- Monitor dfsvc.exe for unexpected child processes rather than assuming all dfsvc.exe activity is malicious.
- Flag unsigned modules loaded by dfsvc.exe for triage, while accounting for local software inventory and trusted internal development workflows.
- Use process lineage and code-signing context together; either signal alone may produce false positives in environments with legitimate ClickOnce applications.
Mitigation priorities
- Inventory where ClickOnce is legitimately used and which applications, publishers, and hosts are expected.
- Ensure endpoint logging captures process command lines, parent-child relationships, module loads, and signing metadata on Windows systems.
- Define investigation playbooks for suspicious ClickOnce process chains, including validation of application source, publisher, user context, and affected host role.
- Where feasible, apply application control and software trust policies to reduce execution of unapproved or unsigned components.
- Coordinate with application owners before blocking ClickOnce-related behavior to avoid disrupting legitimate business applications.
Analyst notes and limits
This object is a detection analytic, not a full ATT&CK technique entry. The useful defensive focus is operational validation: whether Windows endpoint telemetry can expose the specific ClickOnce-related behaviors described and whether analysts can separate expected application deployment from suspicious process or module activity.
The official object provides no tactic, no relationship context, and no official detection logic beyond the behavior description. It does not support claims about active exploitation, actor attribution, prevalence, impact, or guaranteed detection coverage. Local environment baselines are required to determine what is unexpected or unauthorized.
Analytic 0550
Abuse of ClickOnce applications where rundll32.exe invokes dfshim.dll with ShOpenVerbApplication or dfsvc.exe spawns unexpected child processes or loads unsigned modules.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 1940381ec314… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0550Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.