Monday, 13 July 2026

From Black Art to Continuous Emulation

TECHNICAL WHITEPAPER

Why the AI Threat Landscape Has Made the Annual Red Team a Liability

From the Black Art to Continuous Adversary Emulation

How the once-a-year red team became a liability — and why continuous, purple-team emulation is the only model that keeps pace with an AI-accelerated adversary.

Subject: Offensive security · Adversary emulation · Purple teaming

Classification: Public / General distribution

Version 1.0

1. Executive Summary

For most of its history, red teaming has been sold as a mystique-driven event: a small team of elite operators disappears for weeks, compromises a network, and returns with a report and a war story. That model built the tradecraft the industry now runs on, but as a security program it delivers a point-in-time snapshot that is stale on delivery, unmeasurable in any board-relevant sense, and adversarial toward the very defenders it should be improving. This paper argues that the AI-accelerated threat landscape has turned those long-standing weaknesses from an inefficiency into a liability.

The alternative is not a better annual test but a different operating model: faithful adversary emulation, run as a continuous purple-team loop, mapped to a shared framework such as MITRE ATT&CK, and measured as detection coverage that improves over time. Where the old model asked "can we be broken into?", the modern model asks "how fast do we detect the adversary we actually face, and can we prove that number is improving?" Generative AI is the accelerant that makes this shift urgent, because it compresses the attacker's timeline to a point where a yearly snapshot decays faster than an organisation can act on it.

2. The Mystique, and What It Cost Us

Give the old model its due, because it earned it. That generation of operators built the tradecraft the entire industry now runs on. They proved that a determined human adversary would find the path a vulnerability scanner never imagined, and they exposed the gap between "we are compliant" and "we are defensible" — a gap that has cost organisations dearly when it went unexamined. The black art was real, and it produced real capability.

But examined honestly as a program rather than a performance, the bill comes due. The annual engagement was a point-in-time snapshot, stale the moment it was signed; the environment changed the following Tuesday, and the report described a network that no longer existed. It was unmeasurable — "the red team got domain admin" is a story, not a metric, and it said almost nothing about how much better the organisation had become since last year or where to spend the next dollar. It was adversarial when it needed to be collaborative: a blindsided blue team learns nothing except that it was blindsided, and the knowledge stayed on the red side, which is exactly the wrong place for it to live. And it did not scale or repeat — one elite engagement a year is a rounding error against an adversary who probes continuously.

None of this was a failure of skill. It was a failure of operating model — and the AI-accelerated threat landscape has turned that weakness into an existential one.

3. Emulation, Not Infiltration

The first shift is conceptual, and it is the one leadership most often misses. Old-school red teaming asked whether a clever human could break in. The answer was almost always yes, which made it a poor question — expensive to answer and predictable in outcome. Modern red teaming asks a better one: when a specific, named adversary runs its specific playbook against us, where exactly do we see it, and where are we blind?

That is adversary emulation, and it is a different discipline. Instead of freestyling toward a flag, the operator replicates the concrete tactics, techniques, and procedures of a threat actor the organisation actually faces — a ransomware affiliate, a commodity infostealer crew, a state-aligned intrusion set — and maps every action to a shared, structured framework. MITRE ATT&CK gives red and blue a common language: not "we got in," but "T1055 process injection went undetected, T1003 credential dumping fired an alert, T1071 C2 over HTTPS blended into normal traffic."

This is where tooling such as Cobalt Strike stops being a hacker curiosity and becomes an emulation instrument. A modern command-and-control framework lets an operator faithfully reproduce how a real intrusion behaves on the wire and on the host — malleable traffic profiles that mimic a named actor's beaconing, in-memory tradecraft that models how modern malware evades EDR, and credential and lateral-movement techniques replayed exactly as the adversary would run them. The value is no longer the theatre of compromise; it is fidelity. You are testing detections against a faithful reproduction of the threat, not against a generic script no real attacker uses. Emulation converts red teaming from a demonstration into a measurement, and that single change is what makes everything downstream possible.

4. Purple, Not Red Versus Blue

The second shift is organisational, and it is the one that actually moves the needle on risk. If the goal is measurement and improvement rather than a highlight reel, keeping the red and blue teams apart is indefensible. Purple teaming collapses the wall: red executes a technique, blue watches in real time, and together they answer three questions immediately — did we generate telemetry, did that telemetry become an alert, and did anyone act on it? When the answer is no, the finding is not filed in a report to be read next quarter. The detection is fixed that afternoon and the technique re-run before anyone leaves the room.

This is a fundamentally different economic model. The annual black-art engagement produced a document. A continuous purple team produces a feedback loop — a standing, repeatable process that steadily raises detection coverage against a living map of adversary behaviour. Run it monthly, run it against each new threat-intelligence report, run it every time a new control is deployed, and the output stops being "here is how we were beaten" and becomes "here is our detection coverage across the ATT&CK matrix, here is how it moved this quarter, and here is precisely where the next investment closes the biggest gap." That is language a board understands. It reframes offensive security from an unpredictable annual cost into a governable capability with a coverage metric attached — and it does something the old model never could: it makes defenders better rather than merely aware that they are worse than the red team.

5. The AI Accelerant

Everything above was true before generative AI arrived. AI is what turns it from best practice into urgency, and it does so not primarily by inventing new attacks but by collapsing the timeline on the ones we already face. For a defender, time is the whole game — and the adversary has just bought a great deal of it.

The compression is already visible across the intrusion lifecycle. Reconnaissance and targeting that took days of manual OSINT now takes minutes, as public data is aggregated, correlated, and turned into a target profile at machine speed. Social engineering has lost its tells: the misspelled, awkwardly phrased phishing lure was a gift to defenders and awareness training alike, and that gift is gone — AI produces fluent, contextual, personalised pretext at volume, in any language, indistinguishable from legitimate correspondence, and increasingly with a cloned voice attached. Tooling and exploitation are accelerating too, as AI assists with code, with adapting known techniques, and with triaging vulnerabilities in unfamiliar systems; it lowers the skill floor for the many and raises the throughput of the capable few, so the intrusion that once required a specialist can increasingly be assembled by a generalist with a good model. And operational tempo rises across the board: industry telemetry already measured adversary "breakout time" — the interval from initial foothold to lateral movement — in a small number of minutes for the fastest crews, with dwell time compressing from the better part of a year a decade ago to a couple of weeks today. AI pushes every one of those clocks in the wrong direction for defenders.

Now hold that acceleration against the annual red team. A snapshot of defences was commissioned in Q1; the adversary's tooling, lures, and tempo evolved measurably by Q2; and by the time the Q4 engagement is scoped, the threat that was assessed no longer exists in the form it was tested. A point-in-time assessment against a continuous, AI-accelerated adversary is not merely insufficient — it is misleading. It hands leadership a coverage figure that decays faster than the organisation can act on it, and it invites the most dangerous posture in security: confidence built on stale evidence. The only rational response to an adversary that improves continuously is a defensive validation program that improves continuously. A machine-speed, always-on threat cannot be met with a once-a-year human event; the cadence mismatch alone is disqualifying.

6. What This Means for Security Leadership

For anyone accountable for security posture, the practical implications are concrete.

Stop buying snapshots as your primary assurance. The annual red team still has a role as an occasional, no-holds-barred stress test of the whole system, including people and process — keep it for that. But it is the wrong instrument to serve as the main measure of defensive readiness, and a poor place to spend the majority of an offensive-security budget.

Fund the loop, not the event. Invest in a continuous purple-teaming capability — internal, partnered, or hybrid — that emulates the adversaries in your threat model on a regular cadence and works hand-in-glove with detection engineers. The deliverable to demand is not a report; it is a measurable, moving improvement in detection coverage.

Insist on metrics that survive a board meeting. Ask for detection coverage mapped to ATT&CK, mean time to detect against emulated techniques, the trend line quarter over quarter, and the specific gaps prioritised by the threat intelligence relevant to your sector. "We passed the pen test" is not a metric. "Our coverage of ransomware-affiliate TTPs went from 40% to 71% this year, and here is the roadmap to 85%" is.

Tie the cadence to the threat, not the calendar. A new actor in your sector, new tooling in the wild, or a new control deployed in your estate is each a trigger to validate, not something to hold until next year's window. In an AI-accelerated landscape, validation cadence should be indexed to how fast the threat moves — and the threat now moves at machine speed.

7. Conclusion

The black art earned its reputation, and the tradecraft it built is the foundation everything else stands on. But mystique was always a weakness disguised as a strength — knowledge hoarded on the wrong side of the wall, delivered as a snapshot, and measured in war stories. The AI era has made that weakness untenable. Adversaries now improve continuously and at speed, and the only defensible answer is to validate continuously and at speed: faithful emulation of the threats an organisation actually faces, run as an ongoing purple-team loop, measured against a shared framework, and pointed squarely at making defenders better every week.

The question a modern security leader should be asking is no longer "can we be broken into?" — you can, everyone can, and it is the wrong question. It is "how fast do we detect the adversary we actually face, is that number improving, and can I prove it?" The black art cannot answer that. Continuous emulation can.

References

1. MITRE ATT&CK — Enterprise Matrix. https://attack.mitre.org/

2. MITRE ATT&CK — Adversary Emulation Plans. https://attack.mitre.org/resources/adversary-emulation-plans/

3. MITRE Engenuity — Center for Threat-Informed Defense: Purple Teaming resources.

4. Mandiant — M-Trends Annual Report (global median dwell time).

5. CrowdStrike — Global Threat Report (eCrime breakout time).

6. NIST SP 800-115 — Technical Guide to Information Security Testing and Assessment.

This whitepaper is provided for general informational and educational purposes. It describes publicly documented concepts, tooling categories, and industry reporting. Product names and behaviours are subject to change; consult current vendor and framework documentation for authoritative detail.

Monday, 29 June 2026

Execution Trust on Microsoft Windows

TECHNICAL WHITEPAPER


Execution Trust on Microsoft Windows

Reputation, Mark-of-the-Web, and Application Control

How Windows decides whether code is allowed to run — and why the answer depends on which control is in force.


Subject: Endpoint security · Code integrity · Application control

Classification: Public / General distribution

Version 1.0

1. Executive Summary

Every time a Windows endpoint runs a binary, script, or driver, it makes a trust decision: should this code be permitted to execute? The mechanisms that inform that decision are layered and frequently misunderstood, and they fall into two fundamentally different security models. Reputation-based controls such as Microsoft Defender SmartScreen ask “is this known to be bad, or does it look risky?” and typically warn the user while still allowing an override. Application-control controls such as App Control for Business (WDAC), AppLocker, and Smart App Control invert the question to “is this explicitly approved to run?” and block anything that fails policy.

This distinction matters because the two models offer very different assurances. A code-signing certificate or a particular delivery format may influence a reputation prompt, but neither reliably prevents execution on a current, patched system. Only policy-enforced application control delivers the property of “unsigned or unapproved code does not run.” This paper explains each control, traces the documented history of Mark-of-the-Web (MOTW) bypass techniques that exploited container file formats, summarises the patches that closed them, and maps the whole picture to recognised security frameworks including MITRE ATT&CK, the CIS Critical Security Controls, and the ASD Essential Eight.

2. The Trust Problem

Traditional antivirus operates on a deny-known-bad model: code is allowed to run unless the scanner confidently identifies it as malicious. With large volumes of new and unique files appearing continuously, this model is structurally reactive — a never-before-seen file has no signature to match, and the most dangerous moment is precisely the moment of first encounter. The trusted user at the keyboard compounds the problem: a process launched by a user inherits that user’s access, so a single mistaken double-click can expose everything that user can reach.

Windows therefore layers several distinct controls between a downloaded file and its execution. Understanding them requires separating three concerns that are often conflated: provenance (where did this file come from?), reputation (is this file or publisher known and trusted?), and policy (is this code permitted to run here regardless of reputation?). Mark-of-the-Web addresses provenance; SmartScreen and Smart App Control address reputation; application control addresses policy.

3. Mark-of-the-Web (MOTW)

Mark-of-the-Web is the provenance tag that makes the other controls possible. When a file is downloaded from the internet, Windows attaches a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier, recording the security zone the file originated from (internet content is ZoneId=3), along with referrer and source URL information. Downstream security features inspect this stream to decide how to treat the file.

The presence of MOTW is the trigger for several protective behaviours: Microsoft Office opens MOTW-tagged documents in Protected View; SmartScreen subjects MOTW-tagged executables to a reputation check; and Smart App Control evaluates MOTW-tagged code against policy and reputation. The corollary is the crux of many evasion techniques: if the mark is absent, these checks do not fire. A file that never received MOTW — or had it stripped — is treated as a trusted local file.

4. Microsoft Defender SmartScreen

SmartScreen is a reputation service, not a signature scanner. When a user attempts to run a MOTW-tagged executable, SmartScreen performs a reputation lookup. Well-known, prevalent, trusted files run without friction; unknown or low-prevalence files produce the familiar “Windows protected your PC” warning, which the user can override. SmartScreen draws on the same cloud-backed reputation service — the Microsoft Intelligent Security Graph (ISG) — used by Defender Antivirus and by Smart App Control.

Two properties define SmartScreen’s security value and its limits. First, it is advisory: its default outcome for an unknown file is a dismissible warning, not a hard block. Second, it is reputation-driven: a file earns trust through prevalence and time, not merely by being signed. These properties explain why SmartScreen is best understood as a user-awareness and friction control rather than a code-execution barrier.

5. Code Signing and Reputation

Authenticode signing binds a publisher identity to a binary and lets Windows verify the file has not been tampered with since signing. It is commonly assumed that signing a binary causes SmartScreen to wave it through. This is inaccurate. Because SmartScreen is reputation-based, a freshly signed but low-prevalence binary still draws the “unknown publisher” warning until the publisher identity accrues reputation. Signing contributes to reputation; it does not substitute for it.

Extended Validation (EV) code-signing certificates historically conferred near-immediate SmartScreen reputation, which was a primary selling point of EV over standard Organization Validation (OV) certificates. That advantage has eroded over time and should not be treated as a guaranteed instant-trust mechanism, particularly alongside tightened issuance requirements such as mandatory hardware-token key storage. From a defensive standpoint, a signature is also a strong attribution and revocation lever: a signed file ties activity to an identifiable certificate that can be revoked, which limits the operational value of signing for adversaries while increasing it for defenders and software vendors.

6. Container Formats and the Mark-of-the-Web Bypass Lineage

Because so many protections hinge on MOTW being present, a recurring class of techniques has focused on delivering payloads in a way that prevents the mark from reaching the executed file. The classic approach used container file formats — disk images (.iso, .img, .vhd, .vhdx) and certain archives. A container downloaded from the internet receives MOTW, but the files inside historically did not inherit the mark when the container was mounted or extracted, because these formats do not carry NTFS alternate data streams. Once mounted, the inner payload was treated as a trusted local file and ran without a SmartScreen prompt. This technique is catalogued by MITRE ATT&CK as sub-technique T1553.005, Mark-of-the-Web Bypass, and saw heavy use by commodity and state-aligned actors during 2022.

Microsoft has progressively closed these gaps. The November 2022 update addressed under CVE-2022-41091 changed Windows so that MOTW propagates from a downloaded ISO to its contents, so launching an inner file now produces the expected security warning. Related MOTW handling issues in archive and SmartScreen logic were addressed in the same period (for example CVE-2022-44698), and subsequent variants — such as the LNK path-normalisation “LNK stomping” technique (CVE-2024-38217) and the WebDAV copy-paste “copy2pwn” issue (CVE-2024-38213) — have each been patched as they were disclosed.

The strategic lesson is twofold. First, on a current, patched endpoint the naive container bypass no longer works as it once did. Second, this area exhibits a persistent patch-and-iterate cycle: narrowly scoped fixes have repeatedly been followed by new variants of the same underlying weakness. Defenders should therefore treat MOTW-dependent protections as valuable but not self-sufficient, and should not assume any single delivery technique is reliably neutralised without verifying the target’s actual patch level.

7. Application Control: The Inverted Model

Application control changes the default posture of the operating system. Rather than allowing all code to run unless something flags it as bad, it permits code to run only when policy explicitly approves it. Microsoft’s own documentation frames the shift as moving from “is this known to be bad?” to “is this approved to run?” This is the only category of control discussed here that reliably prevents unsigned or unapproved code from executing.

7.1 App Control for Business (WDAC)

App Control for Business — formerly Windows Defender Application Control (WDAC) — is a code-integrity policy engine introduced with Windows 10. Policies apply at the device level and govern executables, DLLs, MSI installers, scripts, and drivers across both user mode and kernel mode. Rules can be expressed against several criteria, including the attributes of the code-signing certificate used to sign an application, signed file metadata such as original filename and version, the file hash, the app’s reputation via the Intelligent Security Graph, the identity of the managed installer that deployed it, and the launch path. Enforcement sits in the kernel and can be hardware-reinforced, making it substantially more tamper-resistant than reputation prompts; policies can themselves be signed to resist removal. An important operational property is that policies can run in audit mode — logging what would have been blocked without enforcing — which supports safe rollout.

7.2 AppLocker

AppLocker is the older application-control mechanism. It operates in user mode and supports allowlisting by publisher (signature), path, and hash, and — unlike App Control for Business — its rules can be targeted to users and groups rather than only devices. It is simpler to deploy through Group Policy but provides weaker assurance: it lacks kernel-mode driver control and has a larger body of known bypasses. It remains useful as a complementary, fine-grained layer and as an accessible starting point.

7.3 Smart App Control

Smart App Control, introduced in Windows 11, brings application control to consumers and smaller organisations. It is built on the same App Control for Business engine and ensures that only signed code, or code the cloud service predicts to be safe, is allowed to run; when code is unsigned and the service cannot confidently predict it is safe, it is blocked. It is enabled or disabled as a whole rather than finely policy-managed, and — by design — it begins in an evaluation mode and cannot be re-enabled without resetting Windows once turned off. Functionally it is a “block untrusted code” control rather than an advisory one.

7.4 Comparison of Windows execution-trust controls

Control

Model

Default action

Scope

Enforcement

SmartScreen

Reputation

Warn (override)

MOTW-tagged files

User mode

Smart App Control

Reputation + signing

Block unknown

Whole device

Kernel (CI)

AppLocker

Policy allowlist

Block

Users / groups

User mode

App Control / WDAC

Policy allowlist

Block

Whole device

Kernel + user


8. Kernel-Mode Code Integrity and Driver Signing

Beneath the application layer, Windows enforces a separate and stricter requirement for kernel-mode code. On 64-bit Windows, kernel drivers must carry a valid signature anchored to a trusted authority or they will not load — a control known as Kernel-Mode Code Integrity / Driver Signature Enforcement. This is independent of the application-control policies above and addresses the highest-privilege code on the system. Hypervisor-protected Code Integrity (memory integrity) can further isolate the code-integrity checks themselves, raising the bar against tampering.

9. Cross-Platform Parallels

The execution-trust model is not unique to Windows; the same principle — establish a trust anchor, verify code against it, refuse to run what does not match — appears across platforms.

  • macOS — Gatekeeper: layered over mandatory code signing, Gatekeeper checks an application’s Developer ID signature and notarisation status and, by default, blocks software that is unsigned or not notarised.

  • Linux — IMA/EVM and dm-verity: the Integrity Measurement Architecture measures and can appraise files against signed reference values, while dm-verity provides block-level integrity for read-only, cryptographically verified images — together supplying signed/measured-execution and verified-boot equivalents.

The shared takeaway is that signing alone is a trust signal; it is the surrounding enforcement layer (Gatekeeper, IMA appraisal, application-control policy) that converts that signal into an execution decision.

10. Standards and Framework Alignment

Application control is not merely a vendor feature; it is codified as a frontline mitigation across major security frameworks, which is useful when justifying its adoption.

Framework

Position on application control

MITRE ATT&CK

T1553.005 (Mark-of-the-Web Bypass) documents container-format evasion; application control mitigates execution of untrusted code.

CIS Critical Security Controls v8

Control 2 — Inventory and Control of Software Assets — includes application allowlisting as a core safeguard.

ASD Essential Eight

Application control is one of the eight baseline mitigation strategies.

CISA #StopRansomware Guide

Recommends application control / allowlisting as part of ransomware-resistant configuration.


11. Conclusion and Recommendations

Windows offers a spectrum of execution-trust controls, but they are not interchangeable. Reputation controls (SmartScreen) raise user awareness and impose friction on unknown files, yet they warn rather than block and can be overridden. Provenance tagging (MOTW) underpins those checks but can be circumvented when delivery prevents the mark from reaching the payload — historically via container formats, though the well-known variants are now patched on current systems. The only controls that reliably stop unsigned or unapproved code from executing are policy-based application-control mechanisms.

Practical recommendations follow directly:

  • Treat SmartScreen and MOTW as awareness and provenance layers, not as execution barriers.

  • Maintain rigorous patch hygiene, since MOTW and SmartScreen bypasses have followed a persistent patch-and-iterate pattern.

  • Where the assurance goal is “unapproved code does not run,” deploy application control — App Control for Business (WDAC) for device-wide, kernel-enforced policy, AppLocker for user/group-scoped allowlisting, or Smart App Control for simpler estates.

  • Roll out application control in audit mode first, then move to enforcement once legitimate software is accounted for, and consider signed policies to resist tampering.

  • Layer application control with EDR and antivirus: allowlisting prevents unauthorised execution, while behavioural detection and signature scanning address what executes within the allowed set.

References

  1. Microsoft Learn — Application Control for Windows. https://learn.microsoft.com/windows/security/application-security/application-control/

  2. Microsoft Learn — App Control for Business (WDAC). https://learn.microsoft.com/windows/security/application-security/application-control/app-control-for-business/

  3. Microsoft Learn — App Control for Business and AppLocker Overview.

  4. Microsoft Learn — Smart App Control.

  5. Microsoft Learn — Microsoft Defender SmartScreen overview.

  6. Microsoft Learn — Zone.Identifier / Mark-of-the-Web (Attachment Manager).

  7. MITRE ATT&CK — T1553.005, Subvert Trust Controls: Mark-of-the-Web Bypass. https://attack.mitre.org/techniques/T1553/005/

  8. Microsoft Security Response Center — CVE-2022-41091 (Windows Mark-of-the-Web Security Feature Bypass).

  9. Microsoft Security Response Center — CVE-2022-44698, CVE-2024-38217 (LNK stomping), CVE-2024-38213 (copy2pwn).

  10. CIS Critical Security Controls v8 — Control 2: Inventory and Control of Software Assets.

  11. Australian Signals Directorate — Essential Eight Maturity Model: Application Control.

  12. CISA — #StopRansomware Guide.

This whitepaper is provided for general informational and educational purposes. It describes publicly documented Windows security mechanisms and their evolution. Product names and behaviours are subject to change; consult current vendor documentation for authoritative detail.


Thursday, 21 May 2026

Windows APIs, Syscalls, EDR Telemetry, and Modern Post-Exploitation Tradecraft

Introduction

This document summarizes high-level concepts related to Windows internals, API layers, syscall techniques, EDR telemetry, Beacon Object Files (BOFs), and behavioral detection logic observed in modern enterprise environments.


1. Windows Architecture Overview

Windows applications generally operate in user mode and interact with the operating system through several abstraction layers before transitioning into kernel mode.

Typical execution flow:

Application
    -> Win32 API
        -> ntdll.dll
            -> syscall boundary
                -> Windows kernel

The Windows kernel (ntoskrnl.exe) is responsible for:

·       Process scheduling

·       Memory management

·       Security enforcement

·       Driver interaction

·       Filesystems

·       Hardware abstraction


2. Win32 APIs vs Native APIs

Most applications use high-level Win32 APIs such as:

·       CreateProcess

·       VirtualAlloc

·       WriteProcessMemory

·       CreateRemoteThread

These functions are commonly exported through:

·       kernel32.dll

·       advapi32.dll

·       user32.dll

Below the Win32 layer is the Native API layer inside ntdll.dll.

Examples include:

·       NtAllocateVirtualMemory

·       NtWriteVirtualMemory

·       NtCreateThreadEx

These functions exist closer to the syscall boundary and eventually transition execution into kernel mode.


3. System Calls

A syscall transitions execution from user mode to kernel mode.

On modern Windows x64 systems this typically occurs through the CPU syscall instruction.

Traditional flow:

Application
 -> Win32 API
    -> Native API
       -> syscall
          -> kernel


4. Direct vs Indirect Syscalls

Direct Syscalls

Direct syscall techniques invoke syscall instructions from custom code.

This may involve constructing syscall stubs dynamically and bypassing higher-level API wrappers.

Indirect Syscalls

Indirect syscall techniques generally route execution through existing syscall stubs already present inside ntdll.dll.

The goal is often to blend more naturally with legitimate operating system behavior.

These approaches emerged because many EDR products historically focused heavily on user-mode API monitoring and hook-based telemetry.


5. .NET, VBA, and Native C/C++

.NET

.NET applications operate under the Common Language Runtime (CLR) and access Windows functionality through:

·       P/Invoke

·       D/Invoke

·       Interop

·       Reflection

VBA

VBA macros are high-level scripting environments commonly used inside Microsoft Office.

Because VBA has limited low-level capability, it has historically been used as:

·       a launcher,

·       orchestration layer,

·       or delivery mechanism

for native payloads written in C or C++.

Native C/C++

Native C/C++ code provides:

·       direct memory manipulation,

·       assembly integration,

·       low-level API access,

·       and greater control over execution behavior.


6. Beacon Object Files (BOFs)

BOFs are lightweight object modules commonly associated with modern adversary emulation frameworks.

Unlike DLLs:

·       BOFs are not full PE files,

·       are not loaded through the standard Windows loader,

·       and are typically executed directly in memory by an existing Beacon runtime.

BOFs can reduce certain forms of telemetry by avoiding:

·       additional process creation,

·       disk artifacts,

·       and standard PE loading behavior.


7. EDR Telemetry and Behavioral Detection

Modern EDR platforms perform significantly more than simple API-hook monitoring.

Common telemetry sources include:

·       Process lineage analysis

·       LOLBin monitoring

·       Memory behavior inspection

·       ETW telemetry

·       Thread start analysis

·       AMSI integration

·       Kernel callbacks

·       Behavioral correlation

As a result, detection frequently occurs because of the overall behavioral chain rather than a single suspicious API.


8. Why Initial Access Chains Become Noisy

Typical Legacy attacker TTP's could resemble

PowerShell
 -> download DLL
    -> write DLL to Temp
       -> rundll32.exe
          -> DLL export execution
             -> remote process injection

This execution chain is highly visible because it combines multiple high-signal behaviors:

·       Script interpreter execution

·       Hidden window execution

·       Network download activity

·       DLL execution from temporary directories

·       LOLBin usage (rundll32.exe)

·       Remote process injection behavior

Modern EDR products often correlate all of these signals into a single behavioral narrative.


9. The Shift from API Detection to Behavioral Analytics

Historically, defensive tooling focused heavily on detecting calls such as:

·       CreateRemoteThread

·       VirtualAllocEx

·       WriteProcessMemory

Modern EDR philosophy has evolved toward detecting suspicious operational patterns and execution context.

Examples include:

·       Office spawning interpreters

·       Chained LOLBins

·       Unbacked executable memory

·       Shellcode-like memory regions

·       Suspicious parent/child process relationships

·       Abnormal network-capable in-memory execution


10. Key Takeaways

  1. Syscalls and Native APIs reduce certain forms of user-mode visibility but do not eliminate telemetry.
  2. Modern EDR products increasingly rely on behavioral correlation rather than simple API hooking.
  3. Initial access chains often generate more detections than the post-exploitation tooling itself.
  4. BOFs and in-memory modules may reduce operational noise compared to traditional loaders, but they are still observable through multiple telemetry sources.
  5. Mature adversary emulation focuses on the entire attack chain, including:

·       execution provenance,

·       process lineage,

·       memory semantics,

·       behavioral shaping,

·       and operational discipline.


11. .NET Limitations vs Native C/C++ in Low-Level Windows Operations

Managed vs Unmanaged Execution

One of the most important distinctions between .NET languages and native C/C++ is the difference between managed and unmanaged execution.

.NET applications run under the Common Language Runtime (CLR). The CLR provides:

·       memory management,

·       garbage collection,

·       JIT compilation,

·       exception handling,

·       and runtime safety services.

This provides major development advantages but also introduces additional telemetry and operational visibility.

Typical .NET execution flow:

C# Code
 -> CLR
    -> P/Invoke or Interop
       -> Win32 API
          -> ntdll.dll
             -> syscall

By comparison, native C/C++ executes directly as unmanaged machine code:

Native C/C++
 -> Win32 or Native API
    -> syscall boundary


Why .NET Commonly Relies on Win32 APIs

.NET itself does not natively expose most low-level Windows internals.

As a result, low-level operations often require:

·       P/Invoke,

·       D/Invoke,

·       COM interop,

·       or unmanaged delegates.

Examples include:

·       memory allocation,

·       process creation,

·       thread creation,

·       token manipulation,

·       and low-level handle operations.

Historically, many .NET offensive frameworks heavily relied on:

·       kernel32.dll

·       advapi32.dll

·       user32.dll

through P/Invoke declarations.

This created highly visible execution patterns.


Additional Telemetry Introduced by .NET

Because .NET uses the CLR, it introduces additional telemetry layers beyond the Windows API layer itself.

Examples include:

·       CLR module loading

·       JIT compilation activity

·       AMSI inspection

·       ETW providers

·       managed assembly metadata

·       reflection activity

·       in-memory assembly loading

This means defenders may observe:

·       the .NET runtime itself,

·       suspicious assembly loading patterns,

·       or managed code behavior,

before low-level API activity even occurs.


Native C/C++ and Lower-Level Control

Native C/C++ provides significantly more direct control over:

·       memory layout,

·       execution flow,

·       calling conventions,

·       assembly integration,

·       and syscall-related behavior.

Because native code operates without the CLR:

·       fewer runtime artifacts exist,

·       execution paths are simpler,

·       and developers have finer control over Windows internals.

This is one reason advanced low-level tooling is commonly written in:

·       C

·       C++

·       Rust

·       Nim

rather than managed languages.


Win32 APIs and EDR Visibility

Historically, many EDR platforms focused heavily on monitoring high-level Win32 APIs.

Examples include:

·       VirtualAlloc

·       VirtualAllocEx

·       WriteProcessMemory

·       CreateRemoteThread

·       CreateProcess

These APIs became heavily associated with:

·       malware loaders,

·       injectors,

·       commodity malware,

·       and offensive tooling.

As a result, security products commonly instrumented:

·       kernel32.dll

·       kernelbase.dll

·       ntdll.dll

using user-mode hooks and telemetry collection.

This is one reason low-level native tooling evolved toward:

·       Native API usage,

·       dynamic import resolution,

·       syscall-oriented techniques,

·       and reduced dependency on standard Win32 wrappers.


Why BOFs Became Popular for Post-Exploitation

Beacon Object Files (BOFs) are lightweight in-memory task modules commonly written in C and used by modern adversary emulation frameworks.

Unlike traditional DLL-based tooling, BOFs are not full Portable Executable (PE) files loaded through the standard Windows loader.

Instead, they are object modules executed directly inside an existing agent or Beacon process.

This architectural model became popular because it can:

·       reduce process creation events,

·       reduce dependency on scripting interpreters,

·       avoid loading additional PE files,

·       reduce disk artifacts,

·       and perform highly focused in-memory operations.

BOFs are typically designed for short-lived operational tasks such as:

·       token operations,

·       process enumeration,

·       credential access simulation,

·       Active Directory enumeration,

·       privilege checks,

·       and memory interaction tasks.

Because BOFs execute within an already-running agent context, they can reduce the amount of observable execution-chain noise compared to launching separate external tooling.


Why BOFs Are Operationally Attractive

BOFs generally:

·       execute quickly,

·       have limited scope,

·       avoid spawning child processes,

·       and leverage an existing Beacon context.

This reduces:

·       process lineage noise,

·       interpreter telemetry,

·       additional PE loader visibility,

·       and some forms of execution-chain telemetry.

Because BOFs are written in native C:

·       they can interact directly with Windows internals,

·       use Native APIs,

·       and avoid many of the runtime artifacts associated with managed environments.


Important Modern Reality

It is important to understand that reduced telemetry does not mean invisibility.

Modern EDR platforms increasingly monitor:

·       memory semantics,

·       thread behavior,

·       ETW telemetry,

·       process relationships,

·       call stack integrity,

·       executable memory regions,

·       and behavioral correlations.

As a result, contemporary defensive monitoring focuses on the overall behavioral narrative rather than solely on whether a particular Win32 API was called.


Conclusion

Modern Windows security monitoring is no longer centered solely around individual API calls.

While syscall-oriented techniques may reduce visibility at certain user-mode monitoring layers, contemporary EDR products increasingly rely on broader behavioral analytics and telemetry correlation.

As a result, the overall execution chain, operational context, process lineage, and memory behavior frequently determine whether activity is considered suspicious