BLOG
New Abuse of the ClickOnce Technology, Part 2: Stop Threat Actors from Clicking Once and Staying Forever
HIGH ClickOnce Windows persistence malware delivery
Strategic summary
ClickOnce applications provide threat actors with a built-in update mechanism and reliable persistence method through .appref-ms files in the Start Menu, executable on every user launch.
Relevance for you
ClickOnce applications provide threat actors with a built-in update mechanism and reliable persistence method through .appref-ms files in the Start Menu, executable on every user launch.
Risk score
15
- cvss base
- 0.00
- kev bonus
- 0.00
- epss bonus
- 0.00
- poc bonus
- 15.00
- raw before weight
- 15.00
- industry weight
- 1.21
- freshness factor
- 1.00
- exploitability factor
- 1.00
- days old
- 0.00
- vendor mismatch penalty
- 0.00
- consensus penalty
- -5.00
Path: operational
Consensus check
The pipeline self-checks before delivery. These rules lowered the score:
-
VENDOR_MISMATCHVendor not found in alert title −5
- Consensus penalty:
- −5.0
- Total penalty:
- −5.0
MITRE ATT&CK mapping
2 TTPsProcedure details
| Technique | Tactic | Procedure | Conf. | Source |
|---|---|---|---|---|
| T1127 | Technique T1127 explicitly referenced in source: Blog | high | primary | |
| T1546 | Technique T1546 explicitly referenced in source: Blog | high | primary |