
Summary
This detection rule identifies the loading of unsigned modules by ClickOnce applications on Windows systems, which can be indicative of malicious activity or exploitation of legitimate application functionalities. ClickOnce is a deployment technology that allows users to install and run Windows-based applications by clicking a link in a web browser. The rule specifically targets scenarios where the application loads modules from the local ClickOnce application cache, particularly in paths that match `\AppData\Local\Apps\2.0\`. It checks for signature status to identify modules that are either unsigned or have an expired signature, as these conditions increase the risk of exploitation. It is noteworthy that while the presence of unsigned modules can be legitimate in some context, consistently loading such modules can signal persistence mechanisms used by adversaries. Proper analysis is needed especially when combined with other indicators. The reference linked provides further insights on the exploitation of ClickOnce security features.
Categories
- Windows
- Application
Data Sources
- Image
Created: 2023-06-08