CuraSec

Plan active

ClickOnce Abused for Persistent Threat Actor Access (Part 2)

2026-07-11 11:49 UTC · CrowdStrike Blog · read the source ↗ #windows#persistence#ttp
  • Engineer — Learn: Describes how attackers abuse the ClickOnce deployment mechanism for persistence in Windows environments — no patch or config change indicated, but worth understanding if you deploy .NET apps or manage Windows estates.
  • SOC/IR — Plan: New ClickOnce-based persistence TTP with public CrowdStrike analysis — build or tune detections around ClickOnce application installations and associated scheduled tasks or registry run keys in your SIEM/EDR.
  • Leader — Skip
This entry was curated and judged by AI (Claude) with automated enrichment (CISA KEV / EPSS / public PoC). Verify against the original source before acting. Found a bad verdict? Report it — confirmed errors go to the corrections log.