Xori is an automation-ready disassembly and static analysis library that consumes shellcode or PE binaries and provides triage analysis data. This Rust library emulates the stack, register states, and reference tables to identify suspicious functionality for manual analysis. Xori extracts structured data from binaries to use in machine learning and data science pipelines. Xori will be released during Black Hat 2018.
Endgame Kernel Attack Surface Reduction (KASR) is a small driver that targets a database of publicly-known exploitable drivers. It acts as a bouncer, preventing these exploitable drivers from being loaded into the kernel. KASR is SIEM-friendly. When it intercepts a vulnerable driver, it records the event in the Windows Event log. KASR requires no configuration, and comes with an MSI that supports unattended installation. Registry-based configuration options are available for power users seeking more protection. See the included README for more details.
We are currently in the process of expanding KASR’s blacklist. Check this page in the future for updates.
Marta is a tool designed to forensically scan memory for evidence of kernel mode threats. Marta generically detects a kernel function pointer hooking technique which evades PatchGuard and other common anti-rootkit products. This technique was made popular by the DOUBLEPULSAR implant, which has been implicated in many widespread attacks including WannaCry. Marta is compatible with 64 bit versions of Windows 7 and newer platforms. Marta is a console based application which requires administrative privileges.
Noteclass is a framework that leverages a pre-built Naive Bayes binary classifier to discover ransom notes and detect ransomware at runtime.
Ember (Endgame Malware BEnchmark for Research) is an open source collection of 1.1 million portable executable file (PE file) sha256 hashes that were scanned by VirusTotal sometime in 2017. The dataset includes metadata, derived features from the PE files, and a benchmark model trained on those features. Importantly, ember does NOT include the files themselves so that we can avoid releasing others’ intellectual property. With this dataset, researchers can now quantify the effectiveness of new machine learning techniques against a well defined and openly available benchmark. Endgame is releasing ember to address this lack of open-source datasets in the domain of static malware detection.
Endgame Research created the Red Team Automation (RTA) framework for internal experimentation and automated testing of some of the preventions and detections we deliver to customers in the Endgame endpoint protection platform. We are sharing the RTA framework publicly to help organizations accelerate and enable the assessment process and highlight detection coverage and gaps. Organizations can then focus more confidently on monitoring high real-time detections in their enterprise and prioritize filling critical gaps in coverage.
© Endgame Inc., 2018. All of the software provided on this site is copyrighted by Endgame, Inc. All rights reserved. This software is provided on an “as is” basis and Endgame does not make any representations or warranties associated with this software.