What if we told you there's a Windows feature that's been quietly sitting in plain sight for decades, just waiting to be weaponized in a way for which no one thought to look? Meet ClickOnce: Microsoft's well-intentioned deployment technology that lets users run, install, and automatically update applications with minimal interaction and zero admin privileges. While this feature has been simplifying software deployment for decades now, it turns out its convenience comes with some unexpected baggage.

Deep diving into this overlooked technology, we reverse engineered the ClickOnce deployment stack from the ground up, documenting for the first time how its components actually work behind the scenes. Through this process, we uncovered a new abuse of the ClickOnce technology that allows an unprivileged user to establish fileless persistence on the system. By repurposing some old tricks, threat actors can abuse an attack surface exposed by the ClickOnce components to execute their payload every time a user interacts with a ClickOnce application. No elevated privileges needed, no suspicious files left behind, and as a bonus, the malicious payload runs under a native Windows process!

In this talk, we'll demystify the ClickOnce technology by exploring its deployment scenarios and documenting how it works behind the scene. We'll walk through the journey that led to our new discovery, demonstrate the technique live, and wrap up with practical detection strategies to protect against these techniques. By the end, you'll understand how sometimes the most unexpected threats come gift-wrapped in Microsoft's most helpful features.