.. /.Application

Phishing

Executable

Double Click

Contributors:

mr.d0x

Description:

APPLICATION files use Microsoft's ClicOnce technology which enables users to install and run a Windows-based smart client application by clicking a link in a web page. APPLICATION files are capable of downloading malware from a web server and installing it with one simple click. They can also be used to grab NTLM hashes, although that has been patched as part of KB4576630.

OS:

Windows

Recommendation:

Block the execution from unknown publishers or fully block the download and execution of APPLICATION files.

Resources:

https://bohops.com/2017/12/02/clickonce-twice-or-thrice-a-technique-for-social-engineering-and-untrusted-command-execution/

https://i.blackhat.com/USA-19/Wednesday/us-19-Burke-ClickOnce-And-Youre-In-When-Appref-Ms-Abuse-Is-Operating-As-Intended.pdf

https://www.netspi.com/blog/technical/adversary-simulation/all-you-need-is-one-a-clickonce-love-story/

http://blog.redxorblue.com/2020/07/one-click-to-compromise-fun-with.html

File Samples:

https://www.joesandbox.com/analysis/304904/0/html