Summary

I want to start off and say this is test files and queries; however, please use caution when testing your environment. The tasks that are created are meant to be run daily like in a lab environment so alerts can trigger.

This can be used to create samples of activities in your environment great for customer presentations or learning about different attacks that could happen. The following are what will be triggered:

1. Network Protection
2. Download EICAR File
3. Download of PUA File
4. Run ORADAD (Security principal reconnaissance (LDAP))
5. Reconnaissance
6. ⁠RemotePowerShell/Latermovement
7. Removal of Defender(tamper protection)
8. ⁠SuspiciousPowershell
9. AMSI Test

I added an OnDemandRun.ps1 to the labs.zip that will run all the scripts in a row so you don't have to wait for the scheduled tasks. If you run the OnDemandRun.ps1 file expect Defender to kick off Attack Disruption and disable the account you are using. It will also make a nice attack web.

Please note this is NOT meant to be ran in a production environment.

Prerequisites

• Labs.zip
• Location: C:\tools\ folder

Steps

1. Download Labs.zip

2. Extract all items in Tools folder

3. Open Administrator PowerShell and navigate to c:\tools\labs

4. Run Setup.ps1

5. Validate the tasks are in Task Scheduler.

6. You can kick off the jobs manually or let them run on their own. Once they complete though, you should see the following alerts.

References

• MDI/MDI_Playbook_Sample.md at main · DanielpFR/MDI
• aka.ms/mdedemos

Uninstall

If you would like to remove them then please download the Uninstall file.