ClickOnce Trust Prompt Tampering
Detects changes to the ClickOnce trust prompt registry key in order to enable an installation from different locations such as the Internet.
Sigma rule (View on GitHub)
1title: ClickOnce Trust Prompt Tampering
2id: ac9159cc-c364-4304-8f0a-d63fc1a0aabb
3status: experimental
4description: Detects changes to the ClickOnce trust prompt registry key in order to enable an installation from different locations such as the Internet.
5references:
6 - https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5
7 - https://learn.microsoft.com/en-us/visualstudio/deployment/how-to-configure-the-clickonce-trust-prompt-behavior
8author: '@SerkinValery, Nasreddine Bencherchali (Nextron Systems)'
9date: 2023/06/12
10modified: 2023/08/17
11tags:
12 - attack.defense_evasion
13 - attack.t1112
14logsource:
15 category: registry_set
16 product: windows
17detection:
18 selection:
19 TargetObject|contains: '\SOFTWARE\MICROSOFT\.NETFramework\Security\TrustManager\PromptingLevel\'
20 TargetObject|endswith:
21 - '\Internet'
22 - '\LocalIntranet'
23 - '\MyComputer'
24 - '\TrustedSites'
25 - '\UntrustedSites'
26 Details: 'Enabled'
27 condition: selection
28falsepositives:
29 - Legitimate internal requirements.
30level: medium
References
-
The contents of this blogpost was written by Nick Powers (@zyn3rgy) and Steven Flores (@0xthirteen), and is a written version of the…
Read More -
Learn how to configure the ClickOnce trust prompt to control whether end users are given the option of installing ClickOnce applications.
Read More
Related rules
- Activate Suppression of Windows Security Center Notifications
- Add DisallowRun Execution to Registry
- Allow RDP Remote Assistance Feature
- Blackbyte Ransomware Registry
- DHCP Callout DLL Installation