T1127.002: ClickOnce

ClickOnce matters because it can let code run through a trusted Windows deployment mechanism with minimal user interaction and without administrative installation rights. For leaders, the risk is not just “malware execution”; it is whether the organization can distinguish legitimate self-updating .NET application use from abuse that blends into normal Windows behavior.

Executive priority

Prioritize this where Windows users can launch ClickOnce applications from web pages or file shares, especially in environments that rely on browser-based software delivery or lightweight user-installed applications. The key business question is whether web access controls, software trust policy, and SOC telemetry provide enough evidence to prove what was launched, from where, by whom, and whether persistence was attempted through startup locations.

Technical view

This is a Windows sub-technique under Trusted Developer Utilities Proxy Execution, associated with stealth and execution. Validate visibility around ClickOnce file types such as .appref-ms and .application, DFSVC.EXE launching applications, and related proxy execution patterns involving trusted Windows components. Because ATT&CK provides no official detection text for this object, use the related DET0191 behavior-chain strategy as direction: correlate user-driven launch context, web or file-share origin, process ancestry, application install/update behavior, and any follow-on persistence such as startup folder placement.

Likely telemetry

Windows process creation telemetry, including parent/child relationships involving DFSVC.EXE
Command-line telemetry for trusted Windows utilities associated with ClickOnce launch behavior
File creation and execution events for .appref-ms and .application files
Browser, web proxy, or secure web gateway logs showing access to ClickOnce delivery locations
File share access logs where ClickOnce applications may be launched from network locations

Detection direction

Build behavior-chain detections rather than relying on a single binary name, because ClickOnce has legitimate administrative and business uses.
Baseline legitimate ClickOnce usage by department, application source, signer, and hosting location before treating all DFSVC.EXE activity as suspicious.
Correlate ClickOnce launch events with recent web visits, downloads, file-share access, and user execution activity.
Review child processes and post-launch behavior for unusual network activity, unexpected payload locations, or persistence attempts.
Tune false positives for approved internal ClickOnce applications and documented software deployment workflows.

Mitigation priorities

Restrict web-based content using URL filtering, download restrictions, and controls over access to untrusted ClickOnce delivery locations.
Disable or remove ClickOnce-related capability where the business does not require it, using change control to avoid disrupting legitimate applications.
Apply code-signing and software trust controls so only authorized and trusted software sources are permitted where feasible.
Harden monitoring around startup folders and related persistence locations because the ATT&CK description notes ClickOnce application files may be moved there for continued deployment.
Document approved ClickOnce applications and owners so SOC and incident response teams can quickly separate expected business use from suspicious execution.

Analyst notes and limits

The supplied ATT&CK object is a sub-technique of T1127 Trusted Developer Utilities Proxy Execution and is limited to Windows. The strongest defensive value is in validating whether ClickOnce is expected in the environment and whether telemetry can connect user action, source location, trusted utility execution, and follow-on persistence.

ATT&CK does not provide official detection guidance for this object in the supplied fields. This take relies on the official description, external references, and listed relationships, including DET0191 and mitigations M1021, M1042, and M1045. Local software inventory, proxy policy, endpoint logging depth, and approved application deployment practices are required to assess actual risk and coverage.

Official MITRE ATT&CK definition

ClickOnce

Adversaries may use ClickOnce applications (.appref-ms and .application files) to proxy execution of code through a trusted Windows utility.[1] ClickOnce is a deployment that enables a user to create self-updating Windows-based .NET applications (i.e, .XBAP, .EXE, or .DLL) that install and run from a file share or web page with minimal user interaction. The application launches as a child process of DFSVC.EXE, which is responsible for installing, launching, and updating the application.[2]

Because ClickOnce applications receive only limited permissions, they do not require administrative permissions to install.[3] As such, adversaries may abuse ClickOnce to proxy execution of malicious code without needing to escalate privileges.

ClickOnce may be abused in a number of ways. For example, an adversary may rely on User Execution. When a user visits a malicious website, the .NET malware is disguised as legitimate software and a ClickOnce popup is displayed for installation.[4]

Adversaries may also abuse ClickOnce to execute malware via a Rundll32 script using the command `rundll32.exe dfshim.dll,ShOpenVerbApplication1`.[5]

Additionally, an adversary can move the ClickOnce application file to a remote user’s startup folder for continued malicious code deployment (i.e., Registry Run Keys / Startup Folder).[1][6]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

Filter related techniques 1 rows

Domain	ID	Name	Relationship / procedure
Enterprise	T1127	Trusted Developer Utilities Proxy Execution	This object subtechnique of Trusted Developer Utilities Proxy Execution.

Relationship explorer

All related ATT&CK context

mitigates · Mitigation M1042: Disable or Remove Feature or Program Enterprise subtechnique of · Technique T1127: Trusted Developer Utilities Proxy Execution Enterprise detects · Detection Strategy DET0191: Behavior-chain detection strategy for T1127.002 Trusted Developer Utilities Proxy Execution: ClickOnce (Windows) Enterprise mitigates · Mitigation M1021: Restrict Web-Based Content Enterprise mitigates · Mitigation M1045: Code Signing Enterprise

Mitigations

Mitigation direction

M1042: Disable or Remove Feature or Program

Disable or remove unnecessary and potentially vulnerable software, features, or services to reduce the attack surface and prevent abuse by adversaries. This involves identifying software or features that are no longer needed or that could be exploited and ensuring they are either removed or properly disabled. This mitigation can be implemented through the following measures:

Remove Legacy Software:

- Use Case: Disable or remove older versions of software that no longer receive updates or security patches (e.g., legacy Java, Adobe Flash). - Implementation: A company removes Flash Player from all employee systems after it has reached its end-of-life date.

Disable Unused Features:

- Use Case: Turn off unnecessary operating system features like SMBv1, Telnet, or RDP if they are not required. - Implementation: Disable SMBv1 in a Windows environment to mitigate vulnerabilities like EternalBlue.

Control Applications Installed by Users:

- Use Case: Prevent users from installing unauthorized software via group policies or other management tools. - Implementation: Block user installations of unauthorized file-sharing applications (e.g., BitTorrent clients) in an enterprise environment.

Remove Unnecessary Services:

- Use Case: Identify and disable unnecessary default services running on endpoints, servers, or network devices. - Implementation: Disable unused administrative shares (e.g., C$, ADMIN$) on workstations.

Restrict Add-ons and Plugins:

- Use Case: Remove or disable browser plugins and add-ons that are not needed for business purposes. - Implementation: Disable Java and ActiveX plugins in web browsers to prevent drive-by attacks.

M1021: Restrict Web-Based Content

Restricting web-based content involves enforcing policies and technologies that limit access to potentially malicious websites, unsafe downloads, and unauthorized browser behaviors. This can include URL filtering, download restrictions, script blocking, and extension control to protect against exploitation, phishing, and malware delivery. This mitigation can be implemented through the following measures:

Deploy Web Proxy Filtering:

- Use solutions to filter web traffic based on categories, reputation, and content types. - Enforce policies that block unsafe websites or file types at the gateway level.

Enable DNS-Based Filtering:

- Implement tools to restrict access to domains associated with malware or phishing campaigns. - Use public DNS filtering services to enhance protection.

Enforce Content Security Policies (CSP):

- Configure CSP headers on internal and external web applications to restrict script execution, iframe embedding, and cross-origin requests.

Control Browser Features:

- Disable unapproved browser features like automatic downloads, developer tools, or unsafe scripting. - Enforce policies through tools like Group Policy Management to control browser settings.

Monitor and Alert on Web-Based Threats:

- Use SIEM tools to collect and analyze web proxy logs for signs of anomalous or malicious activity. - Configure alerts for access attempts to blocked domains or repeated file download failures.

M1045: Code Signing

Code Signing is a security process that ensures the authenticity and integrity of software by digitally signing executables, scripts, and other code artifacts. It prevents untrusted or malicious code from executing by verifying the digital signatures against trusted sources. Code signing protects against tampering, impersonation, and distribution of unauthorized or malicious software, forming a critical defense against supply chain and software exploitation attacks. This mitigation can be implemented through the following measures:

Enforce Signed Code Execution:

- Implementation: Configure operating systems (e.g., Windows with AppLocker or Linux with Secure Boot) to allow only signed code to execute. - Use Case: Prevent the execution of malicious PowerShell scripts by requiring all scripts to be signed with a trusted certificate.

Vendor-Signed Driver Enforcement:

- Implementation: Enable kernel-mode code signing to ensure that only drivers signed by trusted vendors can be loaded. - Use Case: A malicious driver attempting to modify system memory fails to load because it lacks a valid signature.

Certificate Revocation Management:

- Implementation: Use Online Certificate Status Protocol (OCSP) or Certificate Revocation Lists (CRLs) to block certificates associated with compromised or deprecated code. - Use Case: A compromised certificate used to sign a malicious update is revoked, preventing further execution of the software.

Third-Party Software Verification:

- Implementation: Require software from external vendors to be signed with valid certificates before deployment. - Use Case: An organization only deploys signed and verified third-party software to prevent supply chain attacks.

Script Integrity in CI/CD Pipelines:

- Implementation: Integrate code signing into CI/CD pipelines to sign and verify code artifacts before production release. - Use Case: A software company ensures that all production builds are signed, preventing tampered builds from reaching customers.

**Key Components of Code Signing**

- Digital Signature Verification: Verifies the authenticity of code by ensuring it was signed by a trusted entity. - Certificate Management: Uses Public Key Infrastructure (PKI) to manage signing certificates and revocation lists. - Enforced Policy for Unsigned Code: Prevents the execution of unsigned or untrusted binaries and scripts. - Hash Integrity Check: Confirms that code has not been altered since signing by comparing cryptographic hashes.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 2.0
Created: Sep 9, 2024, 14:39 UTC (UTC+00:00)
Modified: May 12, 2026, 15:12 UTC (UTC+00:00)
Raw hash: 02cbe4371d0eb7b9...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	2.0	May 12, 2026, 15:12 UTC (UTC+00:00)	Current bundle	`02cbe4371d0e…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
Burke/CISA ClickOnce BlackHat

William Joseph Burke III. (2019, August 7). CLICKONCE AND YOU’RE IN: When .appref-ms abuse is operating as intended. Retrieved September 9, 2024.
Open source URL
[2]
SpectorOps Medium ClickOnce

Nick Powers. (2023, June 7). Less SmartScreen More Caffeine: (Ab)Using ClickOnce for Trusted Code Execution. Retrieved September 9, 2024.
Open source URL
[3]
Microsoft Learn ClickOnce

Microsoft. (2023, September 14). ClickOnce security and deployment. Retrieved September 9, 2024.
Open source URL
[4]
NetSPI ClickOnce

Ryan Gandrud. (2015, March 23). All You Need Is One – A ClickOnce Love Story. Retrieved September 9, 2024.
Open source URL
[5]
LOLBAS /Dfsvc.exe

LOLBAS. (n.d.). /Dfsvc.exe. Retrieved September 9, 2024.
Open source URL
[6]
Burke/CISA ClickOnce Paper

William J. Burke IV. (n.d.). Appref-ms Abuse for Code Execution & C2. Retrieved September 9, 2024.
Open source URL
[7]
mitre-attack T1127.002
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use

Analyst context for executives and security teams