<# .SYNOPSIS Simulated malicious executable for tabletop exercises. NON-DESTRUCTIVE: operates ONLY inside a test directory. Recommended: - Run as a standard user on a lab machine - Create some dummy files inside C:\SimulatedIncident\VictimData before running #> # ---------------- CONFIGURATION ---------------- # Root folder where all "malicious" actions occur $RootPath = "C:\SimulatedIncident" $DataPath = Join-Path $RootPath "VictimData" $LogPath = Join-Path $RootPath "incident.log" $NotePath = Join-Path $RootPath "README_SIMULATED_RANSOM_NOTE.txt" # Fake C2 / domain names for logs only (no real network exfil) $FakeC2Host = "c2.example.local" $FakeVictimId = [guid]::NewGuid().ToString() # ---------------- HELPER FUNCTIONS ---------------- function Write-Log { param( [string]$Message ) $timestamp = Get-Date -Format "yyyy-MM-dd HH:mm:ss" $line = "[$timestamp] $Message" # Console Write-Host $line # File Add-Content -Path $LogPath -Value $line } function Initialize-Environment { Write-Host "=== SIMULATED MALICIOUS EXECUTION ===" Write-Host "This is a SAFE tabletop simulation. No real damage will occur." Write-Host "" if (-not (Test-Path $RootPath)) { New-Item -ItemType Directory -Path $RootPath | Out-Null } if (-not (Test-Path $DataPath)) { New-Item -ItemType Directory -Path $DataPath | Out-Null # Drop some dummy files to simulate "user data" 1..5 | ForEach-Object { $dummyFile = Join-Path $DataPath ("Important_Document_$($_).txt") "This is dummy file $($_) created for the tabletop exercise." | Set-Content -Path $dummyFile } } # Create / clear log file "=== Simulated Incident Log ===" | Out-File -FilePath $LogPath -Encoding UTF8 Write-Log "Simulation started. Victim ID: $FakeVictimId" Write-Log "RootPath: $RootPath" } function Simulate-Reconnaissance { Write-Log "Phase 1: Reconnaissance - enumerating files in test directory." Start-Sleep -Seconds 2 $files = Get-ChildItem -Path $DataPath -File -ErrorAction SilentlyContinue foreach ($f in $files) { Write-Log "Discovered file: $($f.FullName) (Size: $($f.Length) bytes)" Start-Sleep -Milliseconds 300 } } function Simulate-Persistence { Write-Log "Phase 2: Simulating persistence (fake registry entry in log only)." Start-Sleep -Seconds 2 $fakeRegKey = "HKCU\Software\Microsoft\Windows\CurrentVersion\Run\SimulatedMalware" Write-Log "Would create autorun key: $fakeRegKey" } function Simulate-CommandAndControl { Write-Log "Phase 3: Simulating command & control 'check-in'." Start-Sleep -Seconds 2 # No real network exfiltration – just log and ping localhost Write-Log "Attempting DNS resolution to $FakeC2Host (simulated)." Write-Log "Beacon payload: VictimId=$FakeVictimId, Hostname=$($env:COMPUTERNAME)" Write-Log "Pinging localhost to generate some benign network activity." try { Test-Connection -ComputerName "127.0.0.1" -Count 2 -ErrorAction SilentlyContinue | Out-Null } catch { # Ignore } } function Simulate-Encryption { Write-Log "Phase 4: Simulating file 'encryption' (rename only)." Start-Sleep -Seconds 2 $files = Get-ChildItem -Path $DataPath -File -ErrorAction SilentlyContinue foreach ($f in $files) { $newName = $f.Name + ".simulated_encrypted" $newFullPath = Join-Path $DataPath $newName Write-Log "Renaming $($f.Name) -> $newName" Rename-Item -Path $f.FullName -NewName $newName -Force Start-Sleep -Milliseconds 300 } } function Drop-RansomNote { Write-Log "Phase 5: Dropping simulated ransom note." Start-Sleep -Seconds 2 $note = @" ************************************************************ SIMULATED RANSOMWARE NOTE ************************************************************ This is a NON-DESTRUCTIVE tabletop exercise. No real files have been encrypted. Details: - Victim ID: $FakeVictimId - Hostname: $($env:COMPUTERNAME) - Date: $(Get-Date) If you are seeing this note during a real incident: 1) Disconnect affected systems from the network. 2) Notify the incident response team immediately. 3) Follow your organization's IR playbook. For this EXERCISE: - Treat this as a live incident scenario. - Follow your communication, triage, and escalation playbooks. - Confirm this is ONLY a simulation before taking any real-world actions. ************************************************************ "@ $note | Set-Content -Path $NotePath -Encoding UTF8 Write-Log "Simulated ransom note written to: $NotePath" } function Simulate-CPU-Activity { Write-Log "Phase 6: Simulating brief CPU activity loop." Start-Sleep -Seconds 1 # Short, non-harmful loop to show some CPU usage in Task Manager for ($i = 1; $i -le 500000; $i++) { $x = [math]::Sqrt($i) | Out-Null } Write-Log "CPU activity simulation complete." } function Complete-Simulation { Write-Log "Simulation complete. No real damage performed." Write-Host "" Write-Host "=== SIMULATION COMPLETE ===" Write-Host "Log file: $LogPath" Write-Host "Data dir: $DataPath" Write-Host "Note: $NotePath" } # ---------------- MAIN ---------------- Initialize-Environment Simulate-Reconnaissance Simulate-Persistence Simulate-CommandAndControl Simulate-Encryption Drop-RansomNote Simulate-CPU-Activity Complete-Simulation