Home  >  APT3  >  Results  >  Endgame  >  Configuration

Endgame Configuration

The following product description and configuration information was provided by the vendor and has been included in its unedited form. Any MITRE comments are included in italics.

Product Versions

Version 3.0.2


The Endgame platform is a centrally managed single agent solution that unifies prevention, detection, response, and threat hunting to stop attacks. It delivers layered signatureless preventions, deep, contextualized visibility into endpoint events, and a rich set of response capabilities in a single lightweight agent. It is driven by a scalable and easy-to-use on-prem or SaaS management platform and supports easy integration with other tools through a fully documented API.

The Endgame agent takes seconds to deploy and is very lightweight, with < 1% overall system impact and average CPU Usage of < 2%. It monitors the endpoint in real time, providing real-time prevention to keep threats out and rich data collection and intelligent automation to streamline triage, hunting, and response. Cloud is optional; offline or enclaved endpoints are equally protected.

Endgame's high confidence, layered, signatureless protections cover the entire attacker lifecycle, mapped to ATT&CK. Kernel Behavioral Preventions operate in-line at the lowest level, blocking techniques like exploits, process injection, credential dumping, token theft, and more. Endgame's third-party validated, lightweight static and dynamic models block 99%+ of malware, malicious macro-enabled documents, and ransomware before damage can take place. Endgame's tradecraft protections monitor system activity in real-time, alerting on techniques across all tactics in ATT&CK with very high confidence. These behavioral protections operating in unison provide high confidence that breaches of all kinds will be blocked or detected very early.

No product will prevent 100% of all breaches, and because attackers often impersonate normal users, no product can alert across the full depth of ATT&CK without creating massive false positives in production. Deep visibility with long retrospective lookback is necessary to hunt for and respond to threats that get through the extensive protection layers. Endgame provides the visibility needed by hunters and responders, collecting, enriching, contextualizing, and making available endpoint telemetry data like process executions, domain lookups, TCP connection information, and much more. Endgame's collection sources are hardened and very difficult for adversaries to blind, a growing problem in endpoint security. Endgame's unique hybrid endpoint/cloud architecture provides the longest lookback in the industry (approximately 180 days by default) and flexible event forwarding to the Endgame cloud and/or a customer's SIEM/data lake for further enrichment.

Hunters can access the data flexibly. Sophisticated users with deep knowledge of attacker behaviors can write simple queries using Endgame's powerful Event Query Language to ask any possible security relevant question. Less experienced users are able to use the Artemis natural language query interface and baked in investigations to hunt without needing years of experience and training to make an impact.

Endgame users can easily interact with alerts and query results through Resolver, a graphical, interactive UI which describes the full extent of an attack and allows for rapid single-click response, or through the robust Endgame Shell. Endgame provides a rich set of response actions such as file quarantine, host isolation, file retrieval or deletion, process memory dumps, and more, in most cases eliminating the need for responders to bring in other tools.


Default Threat Hunting Policy (in Detect-Only mode, per test criteria)