Harmless malware for training: Windows edition

Simulated malware behaviour, detection practice, and how to build it.

This fake malware script is designed to mimic suspicious behaviour commonly flagged by endpoint detection tools on Windows. It’s safe, non-destructive, and ideal for training scenarios in sandboxed environments.

Warning: Only run this in a test environment. Never use this on production systems or without clear permission.

What it simulates

  • Creates unusual directories and files

  • Writes pseudo-sensitive content

  • Makes outbound HTTP requests

  • Logs system information

  • Leaves obvious traces for detection tools

Tools you’ll need

  • A test Windows machine or VM (e.g. VirtualBox, Hyper-V)

  • PowerShell (preinstalled on modern Windows)

  • Administrator rights (recommended for full simulation)

How to build and run it

  1. Open Notepad (or any plain text editor)

  2. Paste the following PowerShell script:

# HARNESS: Fake Malware for Detection Training (Windows)
# This script is harmless but mimics malware-like behaviour

# Create suspicious directory
$dir = "C:\temp\fakeattack"
New-Item -ItemType Directory -Path $dir -Force
Set-Location $dir

# Simulate fake data exfil
"Simulated exfiltration attempt" | Out-File -Encoding ASCII data_dump.txt

# Log system info
Get-Process | Out-File -Append processlog.txt
Get-Service | Out-File -Append servicelog.txt

# Fake network communication
try {
    Invoke-WebRequest -Uri "http://example.com/fakeendpoint" -OutFile netlog.txt
} catch {
    "Failed network call" | Out-File -Append netlog.txt
}

# Leave a creepy log
"[SIMULATED MALWARE] This is only a test... or is it?" | Out-File -Append notes.txt

  1. Save the file as fake-malware.ps1

  2. Right-click PowerShell → Run as Administrator

  3. Execute the script:

powershell -ExecutionPolicy Bypass -File fake-malware.ps1

Detection practice

  • Use Windows Defender or your EDR to flag the HTTP request or file write

  • Check C:\temp\fakeattack for suspicious files

  • Review Event Logs for PowerShell script execution

  • Practice building alerts using:

    • Windows Event IDs (4104, 4688)

    • Sysmon logs (if configured)

    • PowerShell transcript logging

Facilitator notes

  • Always run these exercises in virtual machines or isolated lab environments.

  • Don’t simulate malware using real user data or on production networks.

  • Be transparent: this is not a trick, it’s a controlled experience.

  • Let participants feel the tension of detection—then show the relief of clean-up.

Training with fake malware builds muscle memory. Participants learn what to watch for, how to respond, and how to stay calm under pressure. It also reduces the fear factor around real incidents.

Knowledge is power. Even if the malware is fake, the skills it builds are very real.

You’re not hacking—you’re rehearsing. That’s what good defence looks like.

Last update: 2025-06-11 07:09