.NET ClickOnce detection

LasCC · web-flow · commit 9358237977e6 · 2025-09-10T15:13:01.000-04:00
diff --git a/s1_powerquery_hunting.json b/s1_powerquery_hunting.json
@@ -404,5 +404,10 @@
         "category" : "Malware & Threats",
         "name" : "Recent ISO Image Mount Activity Detected",
         "query" : "indicator.metadata contains:anycase (\"\\\\Microsoft\\\\Windows\\\\Recent\\\\\") indicator.metadata contains:anycase (\".iso.lnk\", \".img.lnk\", \".vhd.lnk\", \".vhdx.lnk\")\n| group _FirstSeenMs=min(event.time), _LastSeenMs=max(event.time), Count=count() by indicator.name, indicator.metadata, src.process.displayName\n| let _firstSeenNs = _FirstSeenMs * 1000000\n| let _lastSeenNs = _LastSeenMs * 1000000\n| columns  \"first.timestamp\" = _firstSeenNs, \"last.timestamp\" = _lastSeenNs, indicator.name, indicator.metadata, src.process.displayName, Count\n| sort -Count\n| limit 100000"
+    },
+    {
+        "category" : "Malware & Threats",
+        "name" : ".NET ClickOnce installation",
+        "query" : "src.process.name = \"rundll32.exe\" #cmdline contains:anycase \"ShOpenVerbApplication\" #cmdline contains:anycase (\"http\",\".application\")\n| group _FirstSeenMs=min(event.time), _LastSeenMs=max(event.time), Count=count() by endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.cmdline, tgt.process.cmdline, event.dns.request\n| let _firstSeenNs = _FirstSeenMs * 1000000\n| let _lastSeenNs = _LastSeenMs * 1000000\n| columns  \"first.timestamp\" = _firstSeenNs, \"last.timestamp\" = _lastSeenNs, endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.cmdline, tgt.process.cmdline, event.dns.request, Count\n| sort -Count\n| limit 100000\n"
     }
 ]

Original file line number	Diff line number	Diff line change
`@@ -404,5 +404,10 @@`
`404`	`404`	`"category" : "Malware & Threats",`
`405`	`405`	`"name" : "Recent ISO Image Mount Activity Detected",`
`406`	`406`	"query" : "indicator.metadata contains:anycase (\"\\\\Microsoft\\\\Windows\\\\Recent\\\\\") indicator.metadata contains:anycase (\".iso.lnk\", \".img.lnk\", \".vhd.lnk\", \".vhdx.lnk\")\n\| group _FirstSeenMs=min(event.time), _LastSeenMs=max(event.time), Count=count() by indicator.name, indicator.metadata, src.process.displayName\n\| let _firstSeenNs = _FirstSeenMs * 1000000\n\| let _lastSeenNs = _LastSeenMs * 1000000\n\| columns \"first.timestamp\" = _firstSeenNs, \"last.timestamp\" = _lastSeenNs, indicator.name, indicator.metadata, src.process.displayName, Count\n\| sort -Count\n\| limit 100000"
	`407`	`+ },`
	`408`	`+ {`
	`409`	`+ "category" : "Malware & Threats",`
	`410`	`+ "name" : ".NET ClickOnce installation",`
	`411`	+ "query" : "src.process.name = \"rundll32.exe\" #cmdline contains:anycase \"ShOpenVerbApplication\" #cmdline contains:anycase (\"http\",\".application\")\n\| group _FirstSeenMs=min(event.time), _LastSeenMs=max(event.time), Count=count() by endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.cmdline, tgt.process.cmdline, event.dns.request\n\| let _firstSeenNs = _FirstSeenMs * 1000000\n\| let _lastSeenNs = _LastSeenMs * 1000000\n\| columns \"first.timestamp\" = _firstSeenNs, \"last.timestamp\" = _lastSeenNs, endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.cmdline, tgt.process.cmdline, event.dns.request, Count\n\| sort -Count\n\| limit 100000\n"
`407`	`412`	`}`
`408`	`413`	`]`