Skip to content
TopicTracker
From HackerNewsView original
TranslationTranslation

New Abuse of the ClickOnce Technology

CrowdStrike reports a new abuse of ClickOnce technology, where attackers repurpose legitimate Microsoft deployment manifests to bypass security controls and deliver malware.

Background

- CrowdStrike is a leading US cybersecurity company best known for endpoint protection (software installed on laptops/servers to detect threats). In July 2024, a faulty CrowdStrike update famously caused a global Windows outage. - ClickOnce is a Microsoft .NET technology that lets developers deploy Windows apps with one click from a web browser. It's been in Windows for over a decade and is widely used by internal enterprise IT teams. - This article describes a new attack technique: malware authors are abusing ClickOnce's built-in code-signing and update mechanism to bypass modern Windows security defenses (SmartScreen, Mark-of-the-Web, Microsoft Defender). - The abuse works because ClickOnce apps can be signed once, then silently download and run new code later via their update feature — without triggering the usual "this file came from the internet" warnings. - This matters for IT security teams because traditional detection rules that look for suspicious file types or downloads may miss threats hidden inside legitimate-looking ClickOnce deployment manifests.