Initial access payloads have historically had limited methods that work seamlessly in phishing campaigns and can maintain a level of evasion. This payload category has been dominated by Microsoft Office types, but as recent news has shown, the lifespan of even this technique is shortening. A vehicle for payload delivery that has been greatly overlooked for initial access is ClickOnce. ClickOnce is very versatile and has a lot of opportunities for maintaining a level of evasion and obfuscation.
In this webinar, Nick Powers and Steven Flores discuss methods of bypassing Windows controls such as SmartScreen, application whitelisting, and trusted code abuses with ClickOnce applications. Additionally, they review methods of turning regular signed or high reputation .NET assemblies into weaponized ClickOnce deployments. This results in circumvention of common security controls and extend the value of ClickOnce in the offensive use case. Lastly, they discuss delivery mechanisms to increase the overall legitimacy of ClickOnce application deployment in phishing campaigns. This webinar can bring to attention the power of ClickOnce applications and code execution techniques that are not commonly used.