ClickOnce and You're in - When Appref-ms Abuse is Operating as Intended

Conference:  BlackHat USA 2019



The presentation discusses the use of a Prof MS as a delivery method for cyber attacks and how to defend against it.
  • A Prof MS can be used for various cyber attacks such as phishing, lateral movement, and C2 management.
  • Defending against a Prof MS involves blocking any suspicious activity, monitoring for legitimate use cases, cleaning up registry keys, and training end-users not to click on suspicious links.
  • A Prof MS can also be used as a lifeline for C2 management by setting it on a timer to check for updates and execute benign applications.
  • Social engineering plays a crucial role in the success of a Prof MS attack.
  • The speaker encourages experimentation and tinkering with a Prof MS to discover new uses and defenses.
The speaker gives an example of how a Prof MS can be used to deliver an evil calculator. The attacker sends a seemingly harmless file to the victim, which prompts the user to run a click once application. Once the user approves, the evil calculator is installed and can execute malicious code. This illustrates the importance of training end-users not to click on suspicious links.


As tried-and-true methods of code execution via phishing are getting phased out, new research was required to maintain that avenue of gaining initial access. Sifting through different file types and how they operate led to further examination of the ".Appref-ms" extension, utilized by Microsoft's ClickOnce. This research led down a long and winding road, not only resulting in some new updates to be applied to our phishing methodology but an innovative method for C2 management as well - all while staying within the means of how appref-ms is intended to be used.Follow us down the rabbit hole as we delve into what an .appref-ms file is, how it operates, and some of the methods discovered that can be leveraged to deploy our own nefarious purposes. We will also provide insight on what this execution looks like from the user's perspective, and additional steps that can be taken throughout deployment to further mask and enhance these malicious capabilities.To play our own devil's advocate, we will also cover potential indicators of compromise that result from appref-ms abuse in addition to some preemptive measures that can be deployed to protect against it. Appref-ms abuse has the potential to be a great addition to any security tester's toolkit. It runs natively on Windows 10 and 7, blends in with normal operations, and is an easily adaptable method of code delivery and execution. It's up to you to determine how to use it.