Safe, repeatable proof for every detection
Each lab ships with a controlled validation command. None of them execute real malware. They are deliberately benign — designed to trigger the underlying telemetry and rule logic without harming the system.
This project does not execute, distribute, or document offensive payloads. Every validation command is structured to log the indicator that the rule looks for — nothing more. Run validations only on isolated lab endpoints you own.
Detecting PowerShell EncodedCommand Abuse
Safe in-lab proof — prints 'detection-test' from a base64 payload.
powershell.exe -nop -w hidden -EncodedCommand VwByAGkAdABlAC0ASABvAHMAdAAgACIAZABlAHQAZQBjAHQAaQBvAG4ALQB0AGUAcwB0ACIA
Detecting Invoke-Expression (IEX) Misuse
Safe equivalent — IEX evaluating an inert literal.
powershell.exe -c "IEX 'Write-Host detection-test'"
Detecting DownloadString / Invoke-WebRequest Staging
Safe local-only fetch.
powershell.exe -c "(New-Object Net.WebClient).DownloadString('http://127.0.0.1/healthz')"Detecting Hidden-Window PowerShell
Spawn a hidden PowerShell that exits immediately.
powershell.exe -nop -w hidden -c "exit"
Detecting -ExecutionPolicy Bypass
Run a harmless script with bypass.
powershell.exe -ExecutionPolicy Bypass -Command "Write-Host detection-test"
Detecting Office Applications Spawning PowerShell
Manually invoke powershell from Excel for a controlled test.
Excel → Developer → VBA: Shell "powershell.exe -c Write-Host detection-test"
PowerShell + Outbound Network Correlation
Localhost fetch — safe.
powershell.exe -c "Invoke-WebRequest http://127.0.0.1 -UseBasicParsing"
PowerShell + Persistence Indicator Correlation
Create an inert Run key from PowerShell.
powershell.exe -c "New-ItemProperty -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Run -Name DetectionTest -Value 'notepad.exe' -PropertyType String -Force"
Suspicious Parent/Child Process Relationships
Use psexec or runas to fake an unusual parent in a lab VM only.
PsExec.exe -accepteula -i -s powershell.exe -c "Write-Host detection-test"
Office → Script Interpreter Execution Chains
Simulate a multi-hop chain in a VM lab only.
VBA: Shell "mshta.exe vbscript:CreateObject(""WScript.Shell"").Run(""powershell.exe Write-Host detection-test"")"Detecting AMSI Bypass Attempts
Log an inert string matching a known bypass token (no patching).
powershell.exe -c "Write-Host 'detection-test: amsiInitFailed reference'"
Detecting .NET Reflection Loading in PowerShell
Reference the API in a comment for a safe match.
powershell.exe -c "Write-Host 'detection-test: [Reflection.Assembly]::Load reference'"
Memory-Only PowerShell Execution
Log an inert reference string.
powershell.exe -c "Write-Host 'detection-test: VirtualAlloc CreateThread reference'"
Obfuscation Scoring of PowerShell Script Blocks
Run a benign script with deliberate noise characters.
powershell.exe -c "& { $a='det'+'ect'+'ion-test'; Write-Host $a }"Entropy Analysis on Decoded PowerShell Payloads
Encode a benign string; entropy will be low — verifying the pipeline runs.
powershell.exe -EncodedCommand VwByAGkAdABlAC0ASABvAHMAdAAgACIAZABlAHQAZQBjAHQAaQBvAG4ALQB0AGUAcwB0ACIA
End-to-End ATT&CK Chain Correlation
Run the Phase 1 + 2 lab validators sequentially.
Run encodedcommand-abuse → office-spawns-powershell → powershell-persistence validators.