Heavener: What happens when you can't afford EDR licenses (blog.otterpwn.com)

The heavener project, a new modular EDR (Endpoint Detection and Response) emulation engine for Windows, has been unveiled after six months of development. This ambitious tool allows users to load real detection logic from reverse-engineered commercial endpoint security products and test them against live telemetry without the risk of prematurely triggering detection. Users can select from initial vendor modules including SentinelOne, Cortex XDR, CrowdStrike, and Sophos, enabling them to receive accurate verdicts similar to those from actual EDR agents. This project is significant for the AI/ML community as it enhances the ability to analyze and understand detection logic utilized in commercial EDR systems, providing insights into how these models interact with telemetry. The architecture includes six major layers, encompassing kernel drivers that capture process and file events, and an EventPipeline that processes events in a stringent order critical for accurate detection. By integrating machine learning models and behavioral scripts from real agents, heavener not only streamlines the emulation process but also offers a platform for expanding detection capabilities across multiple vendors, positioning itself as a valuable tool for researchers and cybersecurity professionals aiming to improve threat detection methodologies.