| ID | Name |
|---|---|
| ATAGS-T1108.001 | ClickOnce |
| ATAGS-T1108.002 | JamPlus |
| ATAGS-T1108.003 | MSBuild |
Threat Actors may use ClickOnce applications (.appref-ms and .application files) to proxy execution of code through a trusted Windows utility. ClickOnce is a deployment that enables a user to create self-updating Windows-based .NET applications (i.e, .XBAP, .EXE, or .DLL) that install and run from a file share or web page with minimal user interaction. The application launches as a child process of DFSVC.EXE, which is responsible for installing, launching, and updating the application.
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.