ClickOnce and You're in - When Appref-ms Abuse is Operating as Intended

Black Hat USA 2019

Presented by: William Burke
Date: Wednesday August 07, 2019
Time: 10:30 - 10:55
Location: Lagoon JKL

As tried-and-true methods of code execution via phishing are getting phased out, new research was required to maintain that avenue of gaining initial access. Sifting through different file types and how they operate led to further examination of the ".Appref-ms" extension, utilized by Microsoft's ClickOnce. This research led down a long and winding road, not only resulting in some new updates to be applied to our phishing methodology but an innovative method for C2 management as well - all while staying within the means of how appref-ms is intended to be used.

Follow us down the rabbit hole as we delve into what an .appref-ms file is, how it operates, and some of the methods discovered that can be leveraged to deploy our own nefarious purposes. We will also provide insight on what this execution looks like from the user's perspective, and additional steps that can be taken throughout deployment to further mask and enhance these malicious capabilities.

To play our own devil's advocate, we will also cover potential indicators of compromise that result from appref-ms abuse in addition to some preemptive measures that can be deployed to protect against it.

Appref-ms abuse has the potential to be a great addition to any security tester's toolkit. It runs natively on Windows 10 and 7, blends in with normal operations, and is an easily adaptable method of code delivery and execution. It's up to you to determine how to use it.

William Burke

William Burke is a red team lead with the Cybersecurity and Infrastructure Security Agency (CISA), where he manages and operates on cybersecurity engagements in support of the Federal Government, State / Local / Tribal / Territorial (SLTT) entities, and Critical Infrastructure / Key Resources (CIKR). With fifteen years across the intelligence and cyber security fields, he has served with CISA's National Cybersecurity Assessments and Technical Services (NCATS) team since 2015, where he contributed to the foundations and technologies that evolved into the Nation's Red Team. In his spare time, he also teaches a self-developed course as an Adjunct Graduate Professor in Marymount University's cybersecurity program.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats