How can Logon Scripts bypass antivirus software like 360?

Logon Scripts execute before many antivirus programs load, allowing malicious actions in the script to run without interception. In the article, a batch script using wmic to modify environment variables was blocked by 360, but when triggered via Logon Scripts, it succeeded because the script ran before 360 could intercept it.

---
**Related reading:**
- Use Logon Scripts to maintain persistence — original article
- Penetration Basics - Obfuscating Strings Using Unicode Encoding
- Sophos UTM Analysis - Clearing Last WebAdmin Sessions Records
- Penetration Basics - Methods to Continuously Obtain Exchange User Inbox Emails