Blackbird Test and Evaluation

Adversary Emulation Suite

A malware analysis platform is only useful when its detections can be trusted. AES gives Blackbird known, repeatable adversary behavior to run against, measure, and improve.

Mission Need

Reliable detections need known-good tests.

Unknown and public malware samples are useful, but they are not enough on their own. AES exists so Blackbird can be tested against a purpose-built set of behaviors with clear expectations, stable outputs, and results that can be benchmarked from run to run.

Coverage Areas

A growing map of adversary behavior.

Execution and process behavior

Direct syscall handling, suspicious process creation, PPID behavior, remote execution, APC delivery, section mapping, and thread context changes.

Persistence and system discovery

Registry autoruns, service configuration, LSA/Kerberos-oriented queries, security product probes, COM/WMI/ETW paths, and environment discovery.

Memory, module, and network signals

Protection flips, entropy changes, dynamic function table usage, SxS/module-load anomalies, DNS and beacon patterns, and localhost controls.

Benign baselines

Known-clean file, registry, memory, process, document, inventory, COM logging, DLL load, and localhost workflows that should stay quiet.