BEGIN:VCALENDAR
VERSION:2.0
PRODID:-//pretalx//cfp.recon.cx//recon-2026//talk//EZTMNB
BEGIN:VTIMEZONE
TZID:EST
BEGIN:STANDARD
DTSTART:20001029T030000
RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=10;UNTIL=20061029T070000Z
TZNAME:EST
TZOFFSETFROM:-0400
TZOFFSETTO:-0500
END:STANDARD
BEGIN:STANDARD
DTSTART:20071104T030000
RRULE:FREQ=YEARLY;BYDAY=1SU;BYMONTH=11
TZNAME:EST
TZOFFSETFROM:-0400
TZOFFSETTO:-0500
END:STANDARD
BEGIN:DAYLIGHT
DTSTART:20000402T030000
RRULE:FREQ=YEARLY;BYDAY=1SU;BYMONTH=4;UNTIL=20060402T080000Z
TZNAME:EDT
TZOFFSETFROM:-0500
TZOFFSETTO:-0400
END:DAYLIGHT
BEGIN:DAYLIGHT
DTSTART:20070311T030000
RRULE:FREQ=YEARLY;BYDAY=2SU;BYMONTH=3
TZNAME:EDT
TZOFFSETFROM:-0500
TZOFFSETTO:-0400
END:DAYLIGHT
END:VTIMEZONE
BEGIN:VEVENT
UID:pretalx-recon-2026-EZTMNB@cfp.recon.cx
DTSTART;TZID=EST:20260619T110000
DTEND;TZID=EST:20260619T120000
DESCRIPTION:What if we told you there's a Windows feature that's been quiet
 ly sitting in plain sight for decades\, just waiting to be weaponized in a
  way for which no one thought to look? Meet ClickOnce: Microsoft's well-in
 tentioned deployment technology that lets users run\, install\, and automa
 tically update applications with minimal interaction and zero admin privil
 eges. While this feature has been simplifying software deployment for deca
 des now\, it turns out its convenience comes with some unexpected baggage.
 \n\nDeep diving into this overlooked technology\, we reverse engineered th
 e ClickOnce deployment stack from the ground up\, documenting for the firs
 t time how its components actually work behind the scenes. Through this pr
 ocess\, we uncovered a new abuse of the ClickOnce technology that allows a
 n unprivileged user to establish fileless persistence on the system. By re
 purposing some old tricks\, threat actors can abuse an attack surface expo
 sed by the ClickOnce components to execute their payload every time a user
  interacts with a ClickOnce application. No elevated privileges needed\, n
 o suspicious files left behind\, and as a bonus\, the malicious payload ru
 ns under a native Windows process!\n\nIn this talk\, we'll demystify the C
 lickOnce technology by exploring its deployment scenarios and documenting 
 how it works behind the scene. We'll walk through the journey that led to 
 our new discovery\, demonstrate the technique live\, and wrap up with prac
 tical detection strategies to protect against these techniques. By the end
 \, you'll understand how sometimes the most unexpected threats come gift-w
 rapped in Microsoft's most helpful features.
DTSTAMP:20260612T172937Z
LOCATION:Grand Salon Opera
SUMMARY:Click Once and Stay Forever: uncovering a new abuse of the ClickOnc
 e technology - Mathilde Venault
URL:https://cfp.recon.cx/recon-2026/talk/EZTMNB/
END:VEVENT
END:VCALENDAR