New Abuse of the ClickOnce Technology
CrowdStrike reports a new abuse of ClickOnce technology, where attackers repurpose legitimate Microsoft deployment manifests to bypass security controls and deliver malware.
Background
- CrowdStrike is a leading US cybersecurity company best known for endpoint protection (software installed on laptops/servers to detect threats). In July 2024, a faulty CrowdStrike update famously caused a global Windows outage.
- ClickOnce is a Microsoft .NET technology that lets developers deploy Windows apps with one click from a web browser. It's been in Windows for over a decade and is widely used by internal enterprise IT teams.
- This article describes a new attack technique: malware authors are abusing ClickOnce's built-in code-signing and update mechanism to bypass modern Windows security defenses (SmartScreen, Mark-of-the-Web, Microsoft Defender).
- The abuse works because ClickOnce apps can be signed once, then silently download and run new code later via their update feature — without triggering the usual "this file came from the internet" warnings.
- This matters for IT security teams because traditional detection rules that look for suspicious file types or downloads may miss threats hidden inside legitimate-looking ClickOnce deployment manifests.