ClickOnce and You're in - When Appref-ms Abuse is Operating as Intended

ClickOnce and You're in - When Appref-ms Abuse is Operating as Intended

As tried-and-true methods of code execution via phishing are getting phased out, new research was required to maintain that avenue of gaining initial access. Sifting through different file types and how they operate led to further examination of the ".Appref-ms" extension, utilized by Microsoft's ClickOnce. This research led down a long and winding road, not only resulting in some new updates to be applied to our phishing methodology but an innovative method for C2 management as well - all while staying within the means of how appref-ms is intended to be used.

Follow us down the rabbit hole as we delve into what an .appref-ms file is, how it operates, and some of the methods discovered that can be leveraged to deploy our own nefarious purposes. We will also provide insight on what this execution looks like from the user's perspective, and additional steps that can be taken throughout deployment to further mask and enhance these malicious capabilities.

To play our own devil's advocate, we will also cover potential indicators of compromise that result from appref-ms abuse in addition to some preemptive measures that can be deployed to protect against it.

Appref-ms abuse has the potential to be a great addition to any security tester's toolkit. It runs natively on Windows 10 and 7, blends in with normal operations, and is an easily adaptable method of code delivery and execution. It's up to you to determine how to use it.

Presented by