├── LICENSE ├── Malware ├── File-Mutation ├── Malware-Sources-List └── Readme ├── Presentations └── Readme ├── README.md └── Testing-Framework ├── EPP-Framework-0-Preparartion.pdf ├── EPP-Framework-1a-Pre-Execution.xlsx ├── EPP-Framework-1b-Pre-Execution.xlsx ├── EPP-Framework-2-Detonation.xlsx ├── EPP-Framework-3-All-Capabilities.xlsx ├── EPP-Framework-4-Targeted-Attacks.xlsx ├── Readme ├── Scenario-1 └── Readme ├── Scenario-2 └── Readme ├── Scenario-3 └── Readme └── Scenario-4 └── Readme /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2017 Pink Tangent 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /Malware/File-Mutation: -------------------------------------------------------------------------------- 1 | This section is useful for testing use case 1) and 2) 2 | 1) Static Prevention 3 | 2) Dynamic Prevention 4 | 5 | For Dynamic Detection and response, malware would "most" likely penetrate your network using non-comoditize malware. This section is useful for mutation of executive files only. 6 | 7 | There are many ways to mutate your files. During testing the most effective ways were using packer files or directly modifying the binary: 8 | 9 | 1) Using a PE packer like mpress.exe or pklite 10 | Packers will typically make the file smaller and will in turn change the hash value of the file. 11 | Traditional signature-based AV can have a difficult time detecting packers unless they sandbox it. 12 | Here are a great resource for understanding packers better : https://www.trustwave.com/Resources/SpiderLabs-Blog/Basic-Packers--Easy-As-Pie/ 13 | 14 | 2) Create a hash modifier which essentially adds a byte to the end of the file which in turns changes the hash value 15 | 16 | Personally, I found using a packer and/hash modifier worked pretty well, which enabled me to evade software between 5-10%. 17 | I did occasionally find that a variety of PE files were unuseable after they were packed. 18 | In those cases, the hashmod was more successful. 19 | 20 | If you have had success using other methods, please let me know and I will add it to the repo. 21 | The more input we have, the more effective everyones testing will be. 22 | -------------------------------------------------------------------------------- /Malware/Malware-Sources-List: -------------------------------------------------------------------------------- 1 | List of sites where you can download malware. Handle with care. 2 | 3 | From Github 4 | The Zoo - https://github.com/ytisf/theZoo 5 | Maltrieve - https://github.com/foreni-packages/maltrieve 6 | Malware-samples - https://github.com/fabrimagic72/malware-samples 7 | Some Samples - https://github.com/wolfvan/some-samples 8 | javascript-malware-collection - https://github.com/HynekPetrak/javascript-malware-collection/ 9 | funtimes-ninja/malware - https://github.com/funtimes-ninja/malware 10 | 11 | From Other Web Sources 12 | VirusTotal - https://www.virustotal.com/ 13 | VirusShare - https://virusshare.com/ 14 | Malwr - https://malwr.com/ 15 | TestMyAv - https://www.testmyav.com/ 16 | Malshare - http://malshare.com/ 17 | MalwareDB - http://malwaredb.malekal.com/ 18 | Malware Traffic Analysis - http://www.malware-traffic-analysis.net/ 19 | Exploit Database - https://www.exploit-db.com/ 20 | VX Vault - http://vxvault.net/ViriList.php 21 | Malware Corpus Tracker - http://tracker.h3x.eu/ 22 | 23 | Targetted Analysis 24 | Red Canary Scripts - https://github.com/redcanaryco/atomic-red-team 25 | Mitre ATT&CK Adversarial Tactics, Techniques and Common Knowledge - https://attack.mitre.org/wiki/Main_Page 26 | Obfruscation scripts which I wote 27 | -------------------------------------------------------------------------------- /Malware/Readme: -------------------------------------------------------------------------------- 1 | This directory contains the resource sites used to download malware for testing scenario 1) and 2) 2 | 3 | Due to file size limitations, I cannot upload my samples. 4 | 5 | (DIR) Malware-Sources 6 | Readme file lists the websites where you can download malware 7 | 8 | (DIR) File-Mutation 9 | Readme file which contains notes on different ways to mutates your binaries. Again appliable to scenario 1) and 2) only. 10 | 11 | This directory DOES NOT include any of the weaponised powershell or other scripts written. 12 | -------------------------------------------------------------------------------- /Presentations/Readme: -------------------------------------------------------------------------------- 1 | 2 | Refer to the Publications Repo 3 | https://github.com/pinktangent/Publications 4 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Endpoint-Testing 2 | The Endpoint Protection (EPP) market was a hot topic in 2017 with some many conversations at security conferences, on webinars and whitepapers with not much clear direction on testing. No wonder so many of us were confused. Many of the EPP vendors have highly skilled people on their teams that can offer you advice on what to do and how to test. However, the reality is that many of us are simply unsure if the advice from the vendor pre-sales team is for their benefit or ours. It's hard to know who to believe or trust!! Many just want to help, including vendors, it does not make it any less overwelming. 3 | 4 | In March 2017 I started researching EPP solutions. I quickly came to the realisation that there was no guidelines, no testing methodologies, no AV testing standards, or anything published which was going to help guide me with this task. As I tested each product, how the heck was I going to test the different features, let alone compare them to come up with some type of scoring system?!?!? Seriously, lions, tigers and bears! So quick simply, I had to come up with my own. 5 | 6 | The purpose of this repository is to provide you with tools that I created for POCing / testing various EPP products. I wanted to release my work in the hope that it can help others who are not sure where to start, or who wanted some ideas. I am not affiliated with any EPP organisation, I am simply an information security professional who recently did an EPP POC. I have taken my learnings and added them to this repo which I hope will provike ideas and guidance on where to start. 7 | 8 | Other than a few vendor guides I was provided with, there really was nothing really useful to assist in the huge task and lets not get started on a scoring/ranking process. This EPP repo has all my workings, where to source your malware, your functional and non-functional requirement checklist and finally the framework which is the actual test cases (4 in total) and the scoring system. 9 | 10 | If you are reading this and have other things you think are useful, please email me or log it as an issue / request. 11 | 12 | Note: EPP Self-Paced Workshop / Class currently in progress https://pinktangent.github.io/ 13 | -------------------------------------------------------------------------------- /Testing-Framework/EPP-Framework-0-Preparartion.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pinktangent/Endpoint-Testing/a2951ef8c66aedc02cd65435e31cb4ad0f92be95/Testing-Framework/EPP-Framework-0-Preparartion.pdf -------------------------------------------------------------------------------- /Testing-Framework/EPP-Framework-1a-Pre-Execution.xlsx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pinktangent/Endpoint-Testing/a2951ef8c66aedc02cd65435e31cb4ad0f92be95/Testing-Framework/EPP-Framework-1a-Pre-Execution.xlsx -------------------------------------------------------------------------------- /Testing-Framework/EPP-Framework-1b-Pre-Execution.xlsx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pinktangent/Endpoint-Testing/a2951ef8c66aedc02cd65435e31cb4ad0f92be95/Testing-Framework/EPP-Framework-1b-Pre-Execution.xlsx -------------------------------------------------------------------------------- /Testing-Framework/EPP-Framework-2-Detonation.xlsx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pinktangent/Endpoint-Testing/a2951ef8c66aedc02cd65435e31cb4ad0f92be95/Testing-Framework/EPP-Framework-2-Detonation.xlsx -------------------------------------------------------------------------------- /Testing-Framework/EPP-Framework-3-All-Capabilities.xlsx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pinktangent/Endpoint-Testing/a2951ef8c66aedc02cd65435e31cb4ad0f92be95/Testing-Framework/EPP-Framework-3-All-Capabilities.xlsx -------------------------------------------------------------------------------- /Testing-Framework/EPP-Framework-4-Targeted-Attacks.xlsx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pinktangent/Endpoint-Testing/a2951ef8c66aedc02cd65435e31cb4ad0f92be95/Testing-Framework/EPP-Framework-4-Targeted-Attacks.xlsx -------------------------------------------------------------------------------- /Testing-Framework/Readme: -------------------------------------------------------------------------------- 1 | In this directory you will find the EPP testing framework: 2 | - 0. Preparation Guide 3 | - 1. Static Prevention 4 | a) Pre-Execution (Tests for on-demand and on-write scenarios, malware is introduced as a write to disk only) 5 | b) Pre-Execution (Tests for on-demand and on-write scenarios, malware is introduced using different methods) 6 | - 2. Dynamic Prevention 7 | a) Detonation Only 8 | b) All capabilities enabled 9 | - 3. Dynamic Dection and Respone 10 | Specific attack scenarios using the Mitre ATT&CK 11 | - 4. Business and Non-Functional Testing 12 | There is no malware testing in this scenario. 13 | These are scenarios to see how compatible the solution fits into your enviornment, the false-positive and tuning challenges and cost of other integration. 14 | 15 | EPP Self-Paced Class https://pinktangent.github.io/ COMING SOON... 16 | This will provide STEP-BY-STEP guide on exactly how to setup your environment, downloading malware, and how to execute the listed scenarios. 17 | -------------------------------------------------------------------------------- /Testing-Framework/Scenario-1/Readme: -------------------------------------------------------------------------------- 1 | Placeholder for testing scenario 1 2 | 3 | More to come... 4 | -------------------------------------------------------------------------------- /Testing-Framework/Scenario-2/Readme: -------------------------------------------------------------------------------- 1 | Details for dynamic prevention 2 | 3 | add details here 4 | -------------------------------------------------------------------------------- /Testing-Framework/Scenario-3/Readme: -------------------------------------------------------------------------------- 1 | Dynamic Detect and Response 2 | 3 | Add details here 4 | -------------------------------------------------------------------------------- /Testing-Framework/Scenario-4/Readme: -------------------------------------------------------------------------------- 1 | Non-Functional Testing 2 | 3 | Add content here 4 | --------------------------------------------------------------------------------