Threat Huntmediumtest

ClickOnce Deployment Execution - Dfsvc.EXE Child Process

Detects child processes of "dfsvc" which indicates a ClickOnce deployment execution.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Nasreddine Bencherchali (Nextron Systems)Created Mon Jun 12241d52b5-eee0-49d0-ac8a-8b9c15c7221cwindows

Hunting Hypothesis

Log Source

WindowsProcess Creation

ProductWindows← raw: windows

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection:
        ParentImage|endswith: '\dfsvc.exe'
        Image|endswith: '\AppData\Local\Apps\2.0\'
    condition: selection

False Positives

False positives are expected in environement leveraging ClickOnce deployments. An initial baselining is required before using this rule in production.

References

Resolving title…

posts.specterops.io

MITRE ATT&CK

Tactics

TA0002 · Execution TA0005 · Defense Evasion

Other

detection.threat-hunting

Rule Metadata

Rule ID

241d52b5-eee0-49d0-ac8a-8b9c15c7221c

Status

test

Level

medium

Type

Threat Hunt

Created

Mon Jun 12

Author

Nasreddine Bencherchali (Nextron Systems)

Path

rules-threat-hunting/windows/process_creation/proc_creation_win_dfsvc_child_processes.yml

Raw Tags

attack.executionattack.defense-evasiondetection.threat-hunting

View on GitHub