Skip to content
Auto-CTI
Back to all deep dives
BLOG

New Abuse of the ClickOnce Technology, Part 2: Stop Threat Actors from Clicking Once and Staying Forever

HIGH ClickOnce Windows persistence malware delivery

Strategic summary

ClickOnce applications provide threat actors with a built-in update mechanism and reliable persistence method through .appref-ms files in the Start Menu, executable on every user launch.

Relevance for you

ClickOnce applications provide threat actors with a built-in update mechanism and reliable persistence method through .appref-ms files in the Start Menu, executable on every user launch.

Risk score

15
cvss base
0.00
kev bonus
0.00
epss bonus
0.00
poc bonus
15.00
raw before weight
15.00
industry weight
1.21
freshness factor
1.00
exploitability factor
1.00
days old
0.00
vendor mismatch penalty
0.00
consensus penalty
-5.00

Path: operational

Consensus check

The pipeline self-checks before delivery. These rules lowered the score:

  • VENDOR_MISMATCH Vendor not found in alert title −5
Consensus penalty:
−5.0
Total penalty:
−5.0

MITRE ATT&CK mapping

2 TTPs
Recon
Resource Dev
Initial Access
Execution
Persistence
Priv. Escal.
Def. Evasion
Cred. Access
Discovery
Lateral Mov.
Collection
C2
Exfiltration
Impact
Conf.: high medium low

Procedure details

Technique Tactic Procedure Conf. Source
T1127
Technique T1127 explicitly referenced in source: Blog high primary
T1546
Technique T1546 explicitly referenced in source: Blog high primary
ESC