ClickOnce Trust Prompt Tampering

Detects changes to the ClickOnce trust prompt registry key in order to enable an installation from different locations such as the Internet.

Sigma rule (View on GitHub)

 1title: ClickOnce Trust Prompt Tampering
 2id: ac9159cc-c364-4304-8f0a-d63fc1a0aabb
 3status: test
 4description: Detects changes to the ClickOnce trust prompt registry key in order to enable an installation from different locations such as the Internet.
 5references:
 6    - https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5
 7    - https://learn.microsoft.com/en-us/visualstudio/deployment/how-to-configure-the-clickonce-trust-prompt-behavior
 8author: '@SerkinValery, Nasreddine Bencherchali (Nextron Systems)'
 9date: 2023/06/12
10modified: 2023/08/17
11tags:
12    - attack.defense_evasion
13    - attack.t1112
14logsource:
15    category: registry_set
16    product: windows
17detection:
18    selection:
19        TargetObject|contains: '\SOFTWARE\MICROSOFT\.NETFramework\Security\TrustManager\PromptingLevel\'
20        TargetObject|endswith:
21            - '\Internet'
22            - '\LocalIntranet'
23            - '\MyComputer'
24            - '\TrustedSites'
25            - '\UntrustedSites'
26        Details: 'Enabled'
27    condition: selection
28falsepositives:
29    - Legitimate internal requirements.
30level: medium

References

Related rules

to-top