sigmamediumHunting

ClickOnce Deployment Execution - Dfsvc.EXE Child Process

Detects child processes of "dfsvc" which indicates a ClickOnce deployment execution.

Detection Query

selection:
  ParentImage|endswith: \dfsvc.exe
  Image|endswith: \AppData\Local\Apps\2.0\
condition: selection

Author

Nasreddine Bencherchali (Nextron Systems)

Created

2023-06-12

Data Sources

windowsProcess Creation Events

Platforms

windows

References

https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5

Tags

attack.executionattack.defense-evasiondetection.threat-hunting

Raw Content

title: ClickOnce Deployment Execution - Dfsvc.EXE Child Process
id: 241d52b5-eee0-49d0-ac8a-8b9c15c7221c
status: test
description: Detects child processes of "dfsvc" which indicates a ClickOnce deployment execution.
references:
    - https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-12
tags:
    - attack.execution
    - attack.defense-evasion
    - detection.threat-hunting
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\dfsvc.exe'
        Image|endswith: '\AppData\Local\Apps\2.0\'
    condition: selection
falsepositives:
    - False positives are expected in environement leveraging ClickOnce deployments. An initial baselining is required before using this rule in production.
level: medium