How can Logon Scripts bypass antivirus software interception, such as 360?
Logon Scripts execute before many antivirus programs during the logon sequence. By placing sensitive operations (e.g., creating environment variables via WMI) inside the Logon Script batch file, the script runs before the antivirus can intercept those calls. This allows an attacker to bypass antivirus restrictions on operations like WMI calls.
---
**Related reading:**
- Use Logon Scripts to maintain persistence — original article
- Penetration Techniques - Obtaining Net-NTLM Hash via HTTP Protocol
- Webmin<=1.920-Unauthenticated_RCE(CVE-2019-15107) Exploitation Test
- Pupy Exploitation Analysis - Features on Windows Platform
---
**Related reading:**
- Use Logon Scripts to maintain persistence — original article
- Penetration Techniques - Obtaining Net-NTLM Hash via HTTP Protocol
- Webmin<=1.920-Unauthenticated_RCE(CVE-2019-15107) Exploitation Test
- Pupy Exploitation Analysis - Features on Windows Platform
antivirus bypassexecution orderLogon ScriptsWMI360