Less SmartScreen More Caffeine – ClickOnce (Ab)Use for Trusted Code Execution

Presented at DEF CON 30 (2022), Aug. 14, 2022, 1 p.m. (45 minutes)

Initial access payloads have historically had limited methods that work seamlessly in phishing campaigns and can maintain a level of evasion. This payload category has been dominated by Microsoft Office types, but as recent news has shown, the lifespan of even this technique is shortening. A vehicle for payload delivery that has been greatly overlooked for initial access is ClickOnce. ClickOnce is very versatile and has a lot of opportunities for maintaining a level of evasion and obfuscation. In this talk we’ll cover methods of bypassing Windows controls such as SmartScreen, application whitelisting, and trusted code abuses with ClickOnce applications. Additionally, we’ll discuss methods of turning regular signed or high reputation .NET assemblies into weaponized ClickOnce deployments. This will result in circumvention of common security controls and extend the value of ClickOnce in the offensive use case. Finally, we’ll discuss delivery mechanisms to increase the overall legitimacy of ClickOnce application deployment in phishing campaigns. This talk can bring to attention the power of ClickOnce applications and code execution techniques that are not commonly used.

Presenters:

• Steven Flores - Senior Consultant at SpecterOps
  Steven Flores is an experienced red team operator and former Marine. Over the years Steven has performed engagements against organizations of varying sizes in industries that include financial, healthcare, legal, and government. Steven enjoys learning new tradecraft and developing tools used during red team engagements. Steven has developed several commonly used red team tools such as SharpRDP, SharpMove, and SharpStay.
• Nick Powers - Consultant at SpecterOps
  Nick Powers is an operator and red teamer at SpecterOps. He has experience with providing, as well as leading, pentest and red team service offerings for a large number of fortune 500 companies. Prior to offensive security, Nick gained security and consulting experience while offering compliance-based gap assessments and vulnerability audits. With a career focused on offensive security, his interests and prior research focuses have included initial access techniques, evasive Windows code execution, and the application of alternate C2 and data exfiltration channels.

Links:

• https://forum.defcon.org/node/242211
• https://infocon.org/cons/DEF CON/DEF CON 30/DEF CON 30 video and slides/DEF CON 30 - Nick Powers, Steven Flores - Less SmartScreen More Caffeine - ClickOnce AbUse for Trusted Code Execution.mp4
• https://infocon.org/cons/DEF CON/DEF CON 30/DEF CON 30 video and slides/DEF CON 30 - Nick Powers, Steven Flores - Less SmartScreen More Caffeine - ClickOnce AbUse for Trusted Code Execution.srt (subtitles)

Similar Presentations:

• Black Hat USA 2019 / ClickOnce and You're in - When Appref-ms Abuse is Operating as Intended
• BSidesLV 2015 / All You Need Is One: A ClickOnce Love Story