{
	"id": "8260dd6d-b3c2-4752-a121-9073801b17d8",
	"created_at": "2026-04-06T01:31:57.48039Z",
	"updated_at": "2026-04-10T03:20:23.724029Z",
	"deleted_at": null,
	"sha1_hash": "68f6f9bc6c957669a891550bcf77a716ae547350",
	"title": "Dfsvc on LOLBAS",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 27219,
	"plain_text": "Dfsvc on LOLBAS\r\nArchived: 2026-04-06 00:22:16 UTC\r\nExecutes click-once-application from Url (trampoline for Dfsvc.exe, DotNet ClickOnce host)\r\nUse case\r\nUse binary to bypass Application whitelisting\r\nPrivileges required\r\nUser\r\nOperating systems\r\nWindows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11\r\nATT\u0026CK® technique\r\nT1127.002: ClickOnce\r\nTags\r\nExecute: ClickOnce\r\nExecute: Remote\r\nSource: https://lolbas-project.github.io/lolbas/Binaries/Dfsvc/\r\nhttps://lolbas-project.github.io/lolbas/Binaries/Dfsvc/\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://lolbas-project.github.io/lolbas/Binaries/Dfsvc/"
	],
	"report_names": [
		"Dfsvc"
	],
	"threat_actors": [],
	"ts_created_at": 1775439117,
	"ts_updated_at": 1775791223,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/68f6f9bc6c957669a891550bcf77a716ae547350.pdf",
		"text": "https://archive.orkl.eu/68f6f9bc6c957669a891550bcf77a716ae547350.txt",
		"img": "https://archive.orkl.eu/68f6f9bc6c957669a891550bcf77a716ae547350.jpg"
	}
}