sigmamediumHunting

Unsigned Module Loaded by ClickOnce Application

Detects unsigned module load by ClickOnce application.

MITRE ATT&CK

privilege-escalationdefense-evasionpersistence

Detection Query

selection_path:
  Image|contains: \AppData\Local\Apps\2.0\
selection_sig_status:
  - Signed: "false"
  - SignatureStatus: Expired
condition: all of selection_*

Author

@SerkinValery

Created

2023-06-08

Data Sources

windowsImage Load Events

Platforms

windows

References

https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5

Tags

attack.privilege-escalationattack.defense-evasionattack.persistenceattack.t1574.001

Raw Content

title: Unsigned Module Loaded by ClickOnce Application
id: 060d5ad4-3153-47bb-8382-43e5e29eda92
status: test
description: Detects unsigned module load by ClickOnce application.
references:
    - https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5
author: '@SerkinValery'
date: 2023-06-08
tags:
    - attack.privilege-escalation
    - attack.defense-evasion
    - attack.persistence
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    selection_path:
        Image|contains: '\AppData\Local\Apps\2.0\'
    selection_sig_status:
        - Signed: 'false'
        - SignatureStatus: 'Expired'
    condition: all of selection_*
falsepositives:
    - Unlikely
level: medium