tag: Windows · 2 items
- Engineer — Learn: Part 1 is foundational research on how ClickOnce deployment can be weaponized as an initial-access vector; no patch or config action today, but engineers supporting Windows app delivery should understand the attack surface before Part 2 drops with exploitation specifics.
- SOC/IR — Learn: Builds triage context for ClickOnce-based delivery chains; hold detection engineering work until Part 2, which is expected to cover observable behaviors and threat-actor abuse patterns.
- Leader — Skip
- Engineer — Learn: Describes how attackers abuse the ClickOnce deployment mechanism for persistence in Windows environments — no patch or config change indicated, but worth understanding if you deploy .NET apps or manage Windows estates.
- SOC/IR — Plan: New ClickOnce-based persistence TTP with public CrowdStrike analysis — build or tune detections around ClickOnce application installations and associated scheduled tasks or registry run keys in your SIEM/EDR.
- Leader — Skip