I posted a comment in a thread recently about AV picking up custom executables created as a payload, even following encoding multiple times with one or more encoders. As far as I understand it, the AVs are picking up a signature related to how Meterpreter creates the executable, rather than the content of the payload. I know that I can create an executable that isn't picked up by AVs (such as a hex-edited version of nc.exe or one with a code cave), but can I use that as the payload which is uploaded and run on the target system when the exploit has completed? I came across the custom.rb script but that's only become available within the last couple of weeks and I'm not sure it would allow me to do what I would like.

I know that I could use such a hex-edited executable packaged with a legitimate installer and use Social Engineering to have a victim run it, but I would like to go down the route of finding some software vulnerability (such as Adobe) or an unpatched vulnerability in the Windows Operating system.

Thanks for your time (and patience!).