Adversary Emulation Suite
A malware analysis platform is only useful when its detections can be trusted. AES gives Blackbird known, repeatable adversary behavior to run against, measure, and improve.
Reliable detections need known-good tests.
Unknown and public malware samples are useful, but they are not enough on their own. AES exists so Blackbird can be tested against a purpose-built set of behaviors with clear expectations, stable outputs, and results that can be benchmarked from run to run.
A growing map of adversary behavior.
Execution and process behavior
Direct syscall handling, suspicious process creation, PPID behavior, remote execution, APC delivery, section mapping, and thread context changes.
Persistence and system discovery
Registry autoruns, service configuration, LSA/Kerberos-oriented queries, security product probes, COM/WMI/ETW paths, and environment discovery.
Memory, module, and network signals
Protection flips, entropy changes, dynamic function table usage, SxS/module-load anomalies, DNS and beacon patterns, and localhost controls.
Benign baselines
Known-clean file, registry, memory, process, document, inventory, COM logging, DLL load, and localhost workflows that should stay quiet.