Skip to content
Quick Malicious ClickOnceGenerator for Red Team
Branch: master
Clone or download
Latest commit 0f7805d Jun 16, 2019
Type Name Latest commit message Commit time
Failed to load latest commit information.
template Update Program-ps.cs Jun 17, 2019 Update Jun 7, 2018 Create Mar 30, 2018 Update Apr 24, 2018
config-report.json Create config-report.json Apr 24, 2018
config.json Obfuscating variables Apr 15, 2018


Quick Malicious ClickOnceGenerator for Red Team. The default application a simple WebBrowser widget that point to a website of your choice.


$ python --help

ClickOnceGenerator | Mr.Un1k0d3r RingZer0 Team
usage: [-h] [--config CONFIG] [--out OUT]
                             [--override [OVERRIDE]]

ClickOnceGenerator Options.

optional arguments:
  -h, --help            show this help message and exit
  --config CONFIG       Path to the JSON config file.
  --out OUT             Output solution name.
  --override [OVERRIDE]
                        Delete destination if exists
  --report [REPORT]     Will perform a POST request to the url defined by url_report variable. The POST contains the list of running processes                    
python --config config.json --out myClickOnce --override True --report True

config.json example. The shellcode payload.bin need to be the RAW format of your shellcode.

        "title": "My Evil ClickOnce",
        "url": "",
        "shellcode": "payload.bin",
        "process_name": "iexplore"
  • title is the title of the ClickOnce Application
  • url url used by the WebBrowser widget
  • shellcode the payload you want to execute while the application is launched
  • process_name used to evade sandbox by checking if a specific process is running. (default to iexplore)

Windows 10

process_name on Windows 10 should be set to MicrosoftEdge instead of iexplore.

Generating the Visual Studio Project

Once the files are created in the target folder create a new C# project and import the files.

To publish the ClickOnce in Visual Studio go to Project -> Publish


Mr.Un1k0d3r RingZer0 Team

You can’t perform that action at this time.