What if your payload didn’t just appear legitimate — it was genuinely trusted, signed by a recognised third party, and allowed to execute without raising a single alarm?

In this talk, we expose how attackers can exploit the ClickOnce deployment framework to execute arbitrary code using legitimately signed binaries, backed by trusted third-party certificates. Through a stealthy sideloading technique, we preserve the integrity of the signature, bypass SmartScreen, application allowlisting, and endpoint defences, and gain initial access with a single user interaction — no privilege escalation required.

You’ll learn:

• How ClickOnce establishes trust based on digital signatures — and how that trust can be turned against defenders.
• How to leverage signed third-party binaries to deliver and run payloads without tampering.
• A live demonstration of this technique used to achieve code execution on a remote system.
• Detection strategies and controls that can help identify and mitigate this abuse.

If your security model assumes that signed equals safe, this talk will challenge that assumption. Whether you're red or blue, come see how third-party trust can become your biggest blind spot