I'm working on a fun project right now where I'm evaluating endpoint protection solutions for a client. They're faced with a choice of either refreshing endpoints to the latest gen of their current product, or doing a rip and replace with something else.

I've spun up a standalone AD environment with ~5 Win 10 VMs and nothing on 'em except a current set of patches. The idea is I can assign each workstation VM an install of INSERT_NAME_OF_POPULAR_AV_VENDOR_HERE and have somewhat of a "bake off."

Now what I'm finding is there are great sites like AV Test or AV-Comparatives do a nice job of breaking down what kind of performance, features, and management offerings a given vendor has. But what I haven't found is some structured testing for "act like a bad guy" actions. I'm thinking things like:

  • Mimikatz tomfoolery
  • Lateral attacks with Metasploit shells
  • Egress port scanning (to find an acceptable outbound port for C2 or data exfil)
  • Jacking around with various PowerShell scripts and commands

However, thanks to some awesome friends on Slack they pointed me to what looks to be a nice set of scripts/tests - many of which could be used to see what kind of behaviors the endpoint protection will catch. So coming up in part #2 of this series, I'll do a deeper dive into: