ClickOnce Trust Prompt Tampering
Detects changes to the ClickOnce trust prompt registry key in order to enable an installation from different locations such as the Internet.
Sigma rule (View on GitHub)
1title: ClickOnce Trust Prompt Tampering
2id: ac9159cc-c364-4304-8f0a-d63fc1a0aabb
3status: test
4description: Detects changes to the ClickOnce trust prompt registry key in order to enable an installation from different locations such as the Internet.
5references:
6 - https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5
7 - https://learn.microsoft.com/en-us/visualstudio/deployment/how-to-configure-the-clickonce-trust-prompt-behavior
8author: '@SerkinValery, Nasreddine Bencherchali (Nextron Systems)'
9date: 2023-06-12
10modified: 2023-08-17
11tags:
12 - attack.persistence
13 - attack.defense-evasion
14 - attack.t1112
15logsource:
16 category: registry_set
17 product: windows
18detection:
19 selection:
20 TargetObject|contains: '\SOFTWARE\MICROSOFT\.NETFramework\Security\TrustManager\PromptingLevel\'
21 TargetObject|endswith:
22 - '\Internet'
23 - '\LocalIntranet'
24 - '\MyComputer'
25 - '\TrustedSites'
26 - '\UntrustedSites'
27 Details: 'Enabled'
28 condition: selection
29falsepositives:
30 - Legitimate internal requirements.
31level: medium
References
-
With the barrier to entry for initial access ever increasing, we spent some time digging into potentially lesser-known weaponization options for ClickOnce deployments...
Read More -
Learn how to configure the ClickOnce trust prompt to control whether end users are given the option of installing ClickOnce applications.
Read More
Related rules
- Activate Suppression of Windows Security Center Notifications
- Add DisallowRun Execution to Registry
- Allow RDP Remote Assistance Feature
- Blackbyte Ransomware Registry
- Blue Mockingbird