Monday, 29 June 2026

Execution Trust on Microsoft Windows

TECHNICAL WHITEPAPER


Execution Trust on Microsoft Windows

Reputation, Mark-of-the-Web, and Application Control

How Windows decides whether code is allowed to run — and why the answer depends on which control is in force.


Subject: Endpoint security · Code integrity · Application control

Classification: Public / General distribution

Version 1.0

1. Executive Summary

Every time a Windows endpoint runs a binary, script, or driver, it makes a trust decision: should this code be permitted to execute? The mechanisms that inform that decision are layered and frequently misunderstood, and they fall into two fundamentally different security models. Reputation-based controls such as Microsoft Defender SmartScreen ask “is this known to be bad, or does it look risky?” and typically warn the user while still allowing an override. Application-control controls such as App Control for Business (WDAC), AppLocker, and Smart App Control invert the question to “is this explicitly approved to run?” and block anything that fails policy.

This distinction matters because the two models offer very different assurances. A code-signing certificate or a particular delivery format may influence a reputation prompt, but neither reliably prevents execution on a current, patched system. Only policy-enforced application control delivers the property of “unsigned or unapproved code does not run.” This paper explains each control, traces the documented history of Mark-of-the-Web (MOTW) bypass techniques that exploited container file formats, summarises the patches that closed them, and maps the whole picture to recognised security frameworks including MITRE ATT&CK, the CIS Critical Security Controls, and the ASD Essential Eight.

2. The Trust Problem

Traditional antivirus operates on a deny-known-bad model: code is allowed to run unless the scanner confidently identifies it as malicious. With large volumes of new and unique files appearing continuously, this model is structurally reactive — a never-before-seen file has no signature to match, and the most dangerous moment is precisely the moment of first encounter. The trusted user at the keyboard compounds the problem: a process launched by a user inherits that user’s access, so a single mistaken double-click can expose everything that user can reach.

Windows therefore layers several distinct controls between a downloaded file and its execution. Understanding them requires separating three concerns that are often conflated: provenance (where did this file come from?), reputation (is this file or publisher known and trusted?), and policy (is this code permitted to run here regardless of reputation?). Mark-of-the-Web addresses provenance; SmartScreen and Smart App Control address reputation; application control addresses policy.

3. Mark-of-the-Web (MOTW)

Mark-of-the-Web is the provenance tag that makes the other controls possible. When a file is downloaded from the internet, Windows attaches a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier, recording the security zone the file originated from (internet content is ZoneId=3), along with referrer and source URL information. Downstream security features inspect this stream to decide how to treat the file.

The presence of MOTW is the trigger for several protective behaviours: Microsoft Office opens MOTW-tagged documents in Protected View; SmartScreen subjects MOTW-tagged executables to a reputation check; and Smart App Control evaluates MOTW-tagged code against policy and reputation. The corollary is the crux of many evasion techniques: if the mark is absent, these checks do not fire. A file that never received MOTW — or had it stripped — is treated as a trusted local file.

4. Microsoft Defender SmartScreen

SmartScreen is a reputation service, not a signature scanner. When a user attempts to run a MOTW-tagged executable, SmartScreen performs a reputation lookup. Well-known, prevalent, trusted files run without friction; unknown or low-prevalence files produce the familiar “Windows protected your PC” warning, which the user can override. SmartScreen draws on the same cloud-backed reputation service — the Microsoft Intelligent Security Graph (ISG) — used by Defender Antivirus and by Smart App Control.

Two properties define SmartScreen’s security value and its limits. First, it is advisory: its default outcome for an unknown file is a dismissible warning, not a hard block. Second, it is reputation-driven: a file earns trust through prevalence and time, not merely by being signed. These properties explain why SmartScreen is best understood as a user-awareness and friction control rather than a code-execution barrier.

5. Code Signing and Reputation

Authenticode signing binds a publisher identity to a binary and lets Windows verify the file has not been tampered with since signing. It is commonly assumed that signing a binary causes SmartScreen to wave it through. This is inaccurate. Because SmartScreen is reputation-based, a freshly signed but low-prevalence binary still draws the “unknown publisher” warning until the publisher identity accrues reputation. Signing contributes to reputation; it does not substitute for it.

Extended Validation (EV) code-signing certificates historically conferred near-immediate SmartScreen reputation, which was a primary selling point of EV over standard Organization Validation (OV) certificates. That advantage has eroded over time and should not be treated as a guaranteed instant-trust mechanism, particularly alongside tightened issuance requirements such as mandatory hardware-token key storage. From a defensive standpoint, a signature is also a strong attribution and revocation lever: a signed file ties activity to an identifiable certificate that can be revoked, which limits the operational value of signing for adversaries while increasing it for defenders and software vendors.

6. Container Formats and the Mark-of-the-Web Bypass Lineage

Because so many protections hinge on MOTW being present, a recurring class of techniques has focused on delivering payloads in a way that prevents the mark from reaching the executed file. The classic approach used container file formats — disk images (.iso, .img, .vhd, .vhdx) and certain archives. A container downloaded from the internet receives MOTW, but the files inside historically did not inherit the mark when the container was mounted or extracted, because these formats do not carry NTFS alternate data streams. Once mounted, the inner payload was treated as a trusted local file and ran without a SmartScreen prompt. This technique is catalogued by MITRE ATT&CK as sub-technique T1553.005, Mark-of-the-Web Bypass, and saw heavy use by commodity and state-aligned actors during 2022.

Microsoft has progressively closed these gaps. The November 2022 update addressed under CVE-2022-41091 changed Windows so that MOTW propagates from a downloaded ISO to its contents, so launching an inner file now produces the expected security warning. Related MOTW handling issues in archive and SmartScreen logic were addressed in the same period (for example CVE-2022-44698), and subsequent variants — such as the LNK path-normalisation “LNK stomping” technique (CVE-2024-38217) and the WebDAV copy-paste “copy2pwn” issue (CVE-2024-38213) — have each been patched as they were disclosed.

The strategic lesson is twofold. First, on a current, patched endpoint the naive container bypass no longer works as it once did. Second, this area exhibits a persistent patch-and-iterate cycle: narrowly scoped fixes have repeatedly been followed by new variants of the same underlying weakness. Defenders should therefore treat MOTW-dependent protections as valuable but not self-sufficient, and should not assume any single delivery technique is reliably neutralised without verifying the target’s actual patch level.

7. Application Control: The Inverted Model

Application control changes the default posture of the operating system. Rather than allowing all code to run unless something flags it as bad, it permits code to run only when policy explicitly approves it. Microsoft’s own documentation frames the shift as moving from “is this known to be bad?” to “is this approved to run?” This is the only category of control discussed here that reliably prevents unsigned or unapproved code from executing.

7.1 App Control for Business (WDAC)

App Control for Business — formerly Windows Defender Application Control (WDAC) — is a code-integrity policy engine introduced with Windows 10. Policies apply at the device level and govern executables, DLLs, MSI installers, scripts, and drivers across both user mode and kernel mode. Rules can be expressed against several criteria, including the attributes of the code-signing certificate used to sign an application, signed file metadata such as original filename and version, the file hash, the app’s reputation via the Intelligent Security Graph, the identity of the managed installer that deployed it, and the launch path. Enforcement sits in the kernel and can be hardware-reinforced, making it substantially more tamper-resistant than reputation prompts; policies can themselves be signed to resist removal. An important operational property is that policies can run in audit mode — logging what would have been blocked without enforcing — which supports safe rollout.

7.2 AppLocker

AppLocker is the older application-control mechanism. It operates in user mode and supports allowlisting by publisher (signature), path, and hash, and — unlike App Control for Business — its rules can be targeted to users and groups rather than only devices. It is simpler to deploy through Group Policy but provides weaker assurance: it lacks kernel-mode driver control and has a larger body of known bypasses. It remains useful as a complementary, fine-grained layer and as an accessible starting point.

7.3 Smart App Control

Smart App Control, introduced in Windows 11, brings application control to consumers and smaller organisations. It is built on the same App Control for Business engine and ensures that only signed code, or code the cloud service predicts to be safe, is allowed to run; when code is unsigned and the service cannot confidently predict it is safe, it is blocked. It is enabled or disabled as a whole rather than finely policy-managed, and — by design — it begins in an evaluation mode and cannot be re-enabled without resetting Windows once turned off. Functionally it is a “block untrusted code” control rather than an advisory one.

7.4 Comparison of Windows execution-trust controls

Control

Model

Default action

Scope

Enforcement

SmartScreen

Reputation

Warn (override)

MOTW-tagged files

User mode

Smart App Control

Reputation + signing

Block unknown

Whole device

Kernel (CI)

AppLocker

Policy allowlist

Block

Users / groups

User mode

App Control / WDAC

Policy allowlist

Block

Whole device

Kernel + user


8. Kernel-Mode Code Integrity and Driver Signing

Beneath the application layer, Windows enforces a separate and stricter requirement for kernel-mode code. On 64-bit Windows, kernel drivers must carry a valid signature anchored to a trusted authority or they will not load — a control known as Kernel-Mode Code Integrity / Driver Signature Enforcement. This is independent of the application-control policies above and addresses the highest-privilege code on the system. Hypervisor-protected Code Integrity (memory integrity) can further isolate the code-integrity checks themselves, raising the bar against tampering.

9. Cross-Platform Parallels

The execution-trust model is not unique to Windows; the same principle — establish a trust anchor, verify code against it, refuse to run what does not match — appears across platforms.

  • macOS — Gatekeeper: layered over mandatory code signing, Gatekeeper checks an application’s Developer ID signature and notarisation status and, by default, blocks software that is unsigned or not notarised.

  • Linux — IMA/EVM and dm-verity: the Integrity Measurement Architecture measures and can appraise files against signed reference values, while dm-verity provides block-level integrity for read-only, cryptographically verified images — together supplying signed/measured-execution and verified-boot equivalents.

The shared takeaway is that signing alone is a trust signal; it is the surrounding enforcement layer (Gatekeeper, IMA appraisal, application-control policy) that converts that signal into an execution decision.

10. Standards and Framework Alignment

Application control is not merely a vendor feature; it is codified as a frontline mitigation across major security frameworks, which is useful when justifying its adoption.

Framework

Position on application control

MITRE ATT&CK

T1553.005 (Mark-of-the-Web Bypass) documents container-format evasion; application control mitigates execution of untrusted code.

CIS Critical Security Controls v8

Control 2 — Inventory and Control of Software Assets — includes application allowlisting as a core safeguard.

ASD Essential Eight

Application control is one of the eight baseline mitigation strategies.

CISA #StopRansomware Guide

Recommends application control / allowlisting as part of ransomware-resistant configuration.


11. Conclusion and Recommendations

Windows offers a spectrum of execution-trust controls, but they are not interchangeable. Reputation controls (SmartScreen) raise user awareness and impose friction on unknown files, yet they warn rather than block and can be overridden. Provenance tagging (MOTW) underpins those checks but can be circumvented when delivery prevents the mark from reaching the payload — historically via container formats, though the well-known variants are now patched on current systems. The only controls that reliably stop unsigned or unapproved code from executing are policy-based application-control mechanisms.

Practical recommendations follow directly:

  • Treat SmartScreen and MOTW as awareness and provenance layers, not as execution barriers.

  • Maintain rigorous patch hygiene, since MOTW and SmartScreen bypasses have followed a persistent patch-and-iterate pattern.

  • Where the assurance goal is “unapproved code does not run,” deploy application control — App Control for Business (WDAC) for device-wide, kernel-enforced policy, AppLocker for user/group-scoped allowlisting, or Smart App Control for simpler estates.

  • Roll out application control in audit mode first, then move to enforcement once legitimate software is accounted for, and consider signed policies to resist tampering.

  • Layer application control with EDR and antivirus: allowlisting prevents unauthorised execution, while behavioural detection and signature scanning address what executes within the allowed set.

References

  1. Microsoft Learn — Application Control for Windows. https://learn.microsoft.com/windows/security/application-security/application-control/

  2. Microsoft Learn — App Control for Business (WDAC). https://learn.microsoft.com/windows/security/application-security/application-control/app-control-for-business/

  3. Microsoft Learn — App Control for Business and AppLocker Overview.

  4. Microsoft Learn — Smart App Control.

  5. Microsoft Learn — Microsoft Defender SmartScreen overview.

  6. Microsoft Learn — Zone.Identifier / Mark-of-the-Web (Attachment Manager).

  7. MITRE ATT&CK — T1553.005, Subvert Trust Controls: Mark-of-the-Web Bypass. https://attack.mitre.org/techniques/T1553/005/

  8. Microsoft Security Response Center — CVE-2022-41091 (Windows Mark-of-the-Web Security Feature Bypass).

  9. Microsoft Security Response Center — CVE-2022-44698, CVE-2024-38217 (LNK stomping), CVE-2024-38213 (copy2pwn).

  10. CIS Critical Security Controls v8 — Control 2: Inventory and Control of Software Assets.

  11. Australian Signals Directorate — Essential Eight Maturity Model: Application Control.

  12. CISA — #StopRansomware Guide.

This whitepaper is provided for general informational and educational purposes. It describes publicly documented Windows security mechanisms and their evolution. Product names and behaviours are subject to change; consult current vendor documentation for authoritative detail.
Posted by at No comments:

Thursday, 21 May 2026

Windows APIs, Syscalls, EDR Telemetry, and Modern Post-Exploitation Tradecraft

Introduction

This document summarizes high-level concepts related to Windows internals, API layers, syscall techniques, EDR telemetry, Beacon Object Files (BOFs), and behavioral detection logic observed in modern enterprise environments.

1. Windows Architecture Overview

Windows applications generally operate in user mode and interact with the operating system through several abstraction layers before transitioning into kernel mode.

Typical execution flow:

Application
    -> Win32 API
        -> ntdll.dll
            -> syscall boundary
                -> Windows kernel

The Windows kernel (ntoskrnl.exe) is responsible for:

·       Process scheduling

·       Memory management

·       Security enforcement

·       Driver interaction

·       Filesystems

·       Hardware abstraction

2. Win32 APIs vs Native APIs

Most applications use high-level Win32 APIs such as:

·       CreateProcess

·       VirtualAlloc

·       WriteProcessMemory

·       CreateRemoteThread

These functions are commonly exported through:

·       kernel32.dll

·       advapi32.dll

·       user32.dll

Below the Win32 layer is the Native API layer inside ntdll.dll.

Examples include:

·       NtAllocateVirtualMemory

·       NtWriteVirtualMemory

·       NtCreateThreadEx

These functions exist closer to the syscall boundary and eventually transition execution into kernel mode.

3. System Calls

A syscall transitions execution from user mode to kernel mode.

On modern Windows x64 systems this typically occurs through the CPU syscall instruction.

Traditional flow:

Application
 -> Win32 API
    -> Native API
       -> syscall
          -> kernel

4. Direct vs Indirect Syscalls

Direct Syscalls

Direct syscall techniques invoke syscall instructions from custom code.

This may involve constructing syscall stubs dynamically and bypassing higher-level API wrappers.

Indirect Syscalls

Indirect syscall techniques generally route execution through existing syscall stubs already present inside ntdll.dll.

The goal is often to blend more naturally with legitimate operating system behavior.

These approaches emerged because many EDR products historically focused heavily on user-mode API monitoring and hook-based telemetry.

5. .NET, VBA, and Native C/C++

.NET

.NET applications operate under the Common Language Runtime (CLR) and access Windows functionality through:

·       P/Invoke

·       D/Invoke

·       Interop

·       Reflection

VBA

VBA macros are high-level scripting environments commonly used inside Microsoft Office.

Because VBA has limited low-level capability, it has historically been used as:

·       a launcher,

·       orchestration layer,

·       or delivery mechanism

for native payloads written in C or C++.

Native C/C++

Native C/C++ code provides:

·       direct memory manipulation,

·       assembly integration,

·       low-level API access,

·       and greater control over execution behavior.

6. Beacon Object Files (BOFs)

BOFs are lightweight object modules commonly associated with modern adversary emulation frameworks.

Unlike DLLs:

·       BOFs are not full PE files,

·       are not loaded through the standard Windows loader,

·       and are typically executed directly in memory by an existing Beacon runtime.

BOFs can reduce certain forms of telemetry by avoiding:

·       additional process creation,

·       disk artifacts,

·       and standard PE loading behavior.

7. EDR Telemetry and Behavioral Detection

Modern EDR platforms perform significantly more than simple API-hook monitoring.

Common telemetry sources include:

·       Process lineage analysis

·       LOLBin monitoring

·       Memory behavior inspection

·       ETW telemetry

·       Thread start analysis

·       AMSI integration

·       Kernel callbacks

·       Behavioral correlation

As a result, detection frequently occurs because of the overall behavioral chain rather than a single suspicious API.

8. Why Initial Access Chains Become Noisy

Typical Legacy attacker TTP's could resemble

PowerShell
 -> download DLL
    -> write DLL to Temp
       -> rundll32.exe
          -> DLL export execution
             -> remote process injection

This execution chain is highly visible because it combines multiple high-signal behaviors:

·       Script interpreter execution

·       Hidden window execution

·       Network download activity

·       DLL execution from temporary directories

·       LOLBin usage (rundll32.exe)

·       Remote process injection behavior

Modern EDR products often correlate all of these signals into a single behavioral narrative.

9. The Shift from API Detection to Behavioral Analytics

Historically, defensive tooling focused heavily on detecting calls such as:

·       CreateRemoteThread

·       VirtualAllocEx

·       WriteProcessMemory

Modern EDR philosophy has evolved toward detecting suspicious operational patterns and execution context.

Examples include:

·       Office spawning interpreters

·       Chained LOLBins

·       Unbacked executable memory

·       Shellcode-like memory regions

·       Suspicious parent/child process relationships

·       Abnormal network-capable in-memory execution

10. Key Takeaways

  1. Syscalls and Native APIs reduce certain forms of user-mode visibility but do not eliminate telemetry.
  2. Modern EDR products increasingly rely on behavioral correlation rather than simple API hooking.
  3. Initial access chains often generate more detections than the post-exploitation tooling itself.
  4. BOFs and in-memory modules may reduce operational noise compared to traditional loaders, but they are still observable through multiple telemetry sources.
  5. Mature adversary emulation focuses on the entire attack chain, including:

·       execution provenance,

·       process lineage,

·       memory semantics,

·       behavioral shaping,

·       and operational discipline.

11. .NET Limitations vs Native C/C++ in Low-Level Windows Operations

Managed vs Unmanaged Execution

One of the most important distinctions between .NET languages and native C/C++ is the difference between managed and unmanaged execution.

.NET applications run under the Common Language Runtime (CLR). The CLR provides:

·       memory management,

·       garbage collection,

·       JIT compilation,

·       exception handling,

·       and runtime safety services.

This provides major development advantages but also introduces additional telemetry and operational visibility.

Typical .NET execution flow:

C# Code
 -> CLR
    -> P/Invoke or Interop
       -> Win32 API
          -> ntdll.dll
             -> syscall

By comparison, native C/C++ executes directly as unmanaged machine code:

Native C/C++
 -> Win32 or Native API
    -> syscall boundary

Why .NET Commonly Relies on Win32 APIs

.NET itself does not natively expose most low-level Windows internals.

As a result, low-level operations often require:

·       P/Invoke,

·       D/Invoke,

·       COM interop,

·       or unmanaged delegates.

Examples include:

·       memory allocation,

·       process creation,

·       thread creation,

·       token manipulation,

·       and low-level handle operations.

Historically, many .NET offensive frameworks heavily relied on:

·       kernel32.dll

·       advapi32.dll

·       user32.dll

through P/Invoke declarations.

This created highly visible execution patterns.

Additional Telemetry Introduced by .NET

Because .NET uses the CLR, it introduces additional telemetry layers beyond the Windows API layer itself.

Examples include:

·       CLR module loading

·       JIT compilation activity

·       AMSI inspection

·       ETW providers

·       managed assembly metadata

·       reflection activity

·       in-memory assembly loading

This means defenders may observe:

·       the .NET runtime itself,

·       suspicious assembly loading patterns,

·       or managed code behavior,

before low-level API activity even occurs.

Native C/C++ and Lower-Level Control

Native C/C++ provides significantly more direct control over:

·       memory layout,

·       execution flow,

·       calling conventions,

·       assembly integration,

·       and syscall-related behavior.

Because native code operates without the CLR:

·       fewer runtime artifacts exist,

·       execution paths are simpler,

·       and developers have finer control over Windows internals.

This is one reason advanced low-level tooling is commonly written in:

·       C

·       C++

·       Rust

·       Nim

rather than managed languages.

Win32 APIs and EDR Visibility

Historically, many EDR platforms focused heavily on monitoring high-level Win32 APIs.

Examples include:

·       VirtualAlloc

·       VirtualAllocEx

·       WriteProcessMemory

·       CreateRemoteThread

·       CreateProcess

These APIs became heavily associated with:

·       malware loaders,

·       injectors,

·       commodity malware,

·       and offensive tooling.

As a result, security products commonly instrumented:

·       kernel32.dll

·       kernelbase.dll

·       ntdll.dll

using user-mode hooks and telemetry collection.

This is one reason low-level native tooling evolved toward:

·       Native API usage,

·       dynamic import resolution,

·       syscall-oriented techniques,

·       and reduced dependency on standard Win32 wrappers.

Why BOFs Became Popular for Post-Exploitation

Beacon Object Files (BOFs) are lightweight in-memory task modules commonly written in C and used by modern adversary emulation frameworks.

Unlike traditional DLL-based tooling, BOFs are not full Portable Executable (PE) files loaded through the standard Windows loader.

Instead, they are object modules executed directly inside an existing agent or Beacon process.

This architectural model became popular because it can:

·       reduce process creation events,

·       reduce dependency on scripting interpreters,

·       avoid loading additional PE files,

·       reduce disk artifacts,

·       and perform highly focused in-memory operations.

BOFs are typically designed for short-lived operational tasks such as:

·       token operations,

·       process enumeration,

·       credential access simulation,

·       Active Directory enumeration,

·       privilege checks,

·       and memory interaction tasks.

Because BOFs execute within an already-running agent context, they can reduce the amount of observable execution-chain noise compared to launching separate external tooling.

Why BOFs Are Operationally Attractive

BOFs generally:

·       execute quickly,

·       have limited scope,

·       avoid spawning child processes,

·       and leverage an existing Beacon context.

This reduces:

·       process lineage noise,

·       interpreter telemetry,

·       additional PE loader visibility,

·       and some forms of execution-chain telemetry.

Because BOFs are written in native C:

·       they can interact directly with Windows internals,

·       use Native APIs,

·       and avoid many of the runtime artifacts associated with managed environments.

Important Modern Reality

It is important to understand that reduced telemetry does not mean invisibility.

Modern EDR platforms increasingly monitor:

·       memory semantics,

·       thread behavior,

·       ETW telemetry,

·       process relationships,

·       call stack integrity,

·       executable memory regions,

·       and behavioral correlations.

As a result, contemporary defensive monitoring focuses on the overall behavioral narrative rather than solely on whether a particular Win32 API was called.

Conclusion

Modern Windows security monitoring is no longer centered solely around individual API calls.

While syscall-oriented techniques may reduce visibility at certain user-mode monitoring layers, contemporary EDR products increasingly rely on broader behavioral analytics and telemetry correlation.

As a result, the overall execution chain, operational context, process lineage, and memory behavior frequently determine whether activity is considered suspicious

Posted by at No comments:
Subscribe to: Posts (Atom)