{"id":1103,"date":"2020-01-18T19:30:01","date_gmt":"2020-01-18T17:30:01","guid":{"rendered":"https:\/\/fortgale.com\/news\/?p=1103"},"modified":"2026-06-08T23:08:53","modified_gmt":"2026-06-08T23:08:53","slug":"red-teaming-series-antivirus-bypass","status":"publish","type":"post","link":"https:\/\/fortgale.com\/blog\/emerging-threats\/red-teaming-series-antivirus-bypass\/","title":{"rendered":"Red Teaming Series \u2014 Antivirus Bypass"},"content":{"rendered":"<p style=\"text-align: justify\">We constructed a <strong>malicious payload<\/strong> capable of evading detection across <strong>55 antivirus engines<\/strong> (VirusTotal platform):<\/p>\n<p><img decoding=\"async\" class=\"size-full wp-image-1128 aligncenter\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2020\/01\/12-1.png\" alt=\"Virustotal\" width=\"1484\" height=\"814\" loading=\"lazy\" \/><\/p>\n<h2 style=\"text-align: justify\">Lab Preparation<\/h2>\n<ul>\n<li style=\"text-align: justify\"><strong>Windows 10<\/strong> &#8220;<span style=\"color: #339966\"><strong>victim<\/strong><\/span>&#8221; (with <strong>Firewall and AntiVirus active<\/strong>)<\/li>\n<li style=\"text-align: justify\"><strong>Windows 10<\/strong> &#8220;<strong><span style=\"color: #ff0000\">attacker<\/span><\/strong>&#8221; with <a href=\"https:\/\/github.com\/fireeye\/commando-vm\">CommandoVM<\/a> framework:<\/li>\n<\/ul>\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/i2.wp.com\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2020\/01\/4.png?fit=750%2C226&amp;ssl=1\" alt=\"\" class=\"wp-image-1106\" loading=\"lazy\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Attacker Set-Up:<\/h2>\n\n\n<p style=\"text-align: justify\">We deployed a PowerShell script (<strong>ReverseTCP Shell &#8211; <a href=\"https:\/\/github.com\/ZHacker13\/ReverseTCPShell\">link<\/a><\/strong>) to generate the <em>payload<\/em>:<\/p>\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2020\/01\/5-1.png\" alt=\"\" class=\"wp-image-1108\" loading=\"lazy\" \/><\/figure>\n\n\n<p>The script generates two distinct outputs, both <strong><em>PowerShell<\/em><\/strong> and <strong><em>CMD<\/em><\/strong> commands:<\/p>\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/i2.wp.com\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2020\/01\/6-1.png?fit=750%2C481&amp;ssl=1\" alt=\"\" class=\"wp-image-1109\" loading=\"lazy\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\"><br>Attack Execution<\/h2>\n\n\n<p style=\"text-align: justify\">The generated output can be embedded within a &#8220;<strong>.vbs<\/strong>&#8221; file or within <strong>Microsoft Office<\/strong> documents. Users frequently receive emails with attachments of this type:<\/p>\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2020\/01\/8.png\" alt=\"\" class=\"wp-image-1110\" loading=\"lazy\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\"><br>Antivirus Ineffectiveness<\/h2>\n\n\n<p style=\"text-align: justify\">The user, even when executing an <strong>antivirus scan<\/strong>, receives no associated <strong>threat detection<\/strong> or <strong>alert<\/strong>:<\/p>\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2020\/01\/10.png\" alt=\"\" class=\"wp-image-1111\" loading=\"lazy\" \/><\/figure>\n\n\n<p style=\"text-align: justify\">Upon document execution, the <strong>attacker gains full control of the workstation with the same privileges as the compromised user<\/strong>. The attacker can upload\/download files present on the target system, capture screenshots, and perform other post-exploitation actions. Our <a href=\"https:\/\/fortgale.com\/en\/managed-soc\/\">Managed SOC<\/a> teams have observed this pattern across multiple intrusion campaigns:<\/p>\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2020\/01\/9.png\" alt=\"\" class=\"wp-image-1112\" loading=\"lazy\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Persistence<\/h2>\n\n\n<p style=\"text-align: justify\">To <strong>maintain access<\/strong> to the victim system, the <strong>payload<\/strong> must execute at each system startup. Multiple techniques exist to achieve this objective. One approach involves injecting malicious code into <strong>specific registry keys<\/strong>:<\/p>\n\n\n<figure class=\"wp-block-gallery columns-1 is-cropped wp-block-gallery-1 is-layout-flex wp-block-gallery-is-layout-flex\"><ul class=\"blocks-gallery-grid\"><li class=\"blocks-gallery-item\"><figure><img decoding=\"async\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2020\/01\/11-2.png\" alt=\"\" data-id=\"1114\" data-full-url=\"https:\/\/i1.wp.com\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2020\/01\/11-2.png?fit=859%2C641&amp;ssl=1\" data-link=\"https:\/\/fortgale.com\/news\/?attachment_id=1114\" class=\"wp-image-1114\" loading=\"lazy\" \/><\/figure><\/li><\/ul><\/figure>\n\n\n\n<p style=\"text-align: justify\">By replacing &#8220;calc.exe&#8221; with the previously generated command, the attacker achieves workstation control at each system restart without triggering any detection alert. This technique\u2014combining T1566.002 (Phishing: Spearphishing Attachment), T1204.002 (User Execution: Malicious File), T1547.001 (Boot or Logon Autostart Execution: Registry Run Keys), and T1059.001 (Command and Scripting Interpreter: PowerShell)\u2014demonstrates how signature-based defenses alone remain insufficient against obfuscated, multi-stage payload delivery chains.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Antivirus evasion techniques in red-team operations: payload encoding, signature avoidance, behavioural-detection bypass and corresponding defensive lessons.<\/p>\n","protected":false},"author":1,"featured_media":1139,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[29,3297,45,3299,3263,208,272,290,294,3298,371],"class_list":["post-1103","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-emerging-threats","tag-antivirus-bypass","tag-av-evasion","tag-backdoor","tag-behavioural-detection","tag-defense-evasion","tag-macro","tag-powershell","tag-red-teaming","tag-reversetcp","tag-t1027","tag-vbs"],"_links":{"self":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/1103","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/comments?post=1103"}],"version-history":[{"count":1,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/1103\/revisions"}],"predecessor-version":[{"id":9906,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/1103\/revisions\/9906"}],"wp:attachment":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/media?parent=1103"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/categories?post=1103"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/tags?post=1103"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}