Home / Labs / Script Repository

Script Repository

Ready-to-run PowerShell scripts for every security lab.
Download, customize, and execute simulations in your own environment.

How to Use These Scripts

  1. Download the script file for the simulation you want to run
  2. Review the header comments for requirements, prerequisites, and expected alerts
  3. Open PowerShell as Administrator on your test device (never on production)
  4. Set execution policy if needed: Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass
  5. Run the script with the documented parameters
  6. Verify the expected alerts appear in the corresponding security portal
  7. Clean up by running the script's cleanup function or following the cleanup instructions

⚠️ Warning & Disclaimer: These scripts simulate attack techniques for educational purposes only. Run them exclusively in isolated lab environments. Never execute on production systems.

All scripts are provided by Lessi Coulibaly (LessIT) strictly for educational and training purposes. Lessi Coulibaly and LessIT are not liable for any damage, data loss, service disruption, security incidents, or any other harm caused directly or indirectly by the use or misuse of these scripts. They are provided "AS IS" without warranty of any kind. Each script requires you to accept this disclaimer before it will execute.

Jump to Section
💻 Defender for Endpoint 🔑 Defender for Identity 📡 Microsoft Sentinel ☁️ Defender for Cloud ⚔️ Defender XDR 📱 Defender for Cloud Apps 📧 Defender for Office 365 🔒 Microsoft Purview 🔍 Defender Vulnerability Management 🛡️ Microsoft Entra 📋 App Governance 🔐 Data Loss Prevention ⚙️ MCP Servers 🎯 Use Cases
📦 Download All Scripts (.zip)
๐Ÿ’ป

Defender for Endpoint

View Labs โ†’
Script Description Level Parameters
Invoke-MDEDetectionTest.ps1 5-test detection validation: sensor check, official Microsoft test, EICAR download, network protection, encoded PowerShell command Beginner No params required
Invoke-RansomwareSimulation.ps1 6-phase safe ransomware simulation: staging, credential access, discovery, lateral movement, data collection, impact Advanced -CleanupOnly
Test-NetworkProtection.ps1 11-check network protection validator: NP mode, Defender AV prerequisites, SmartScreen, QUIC/ECH browser policies, firewall rules, cloud connectivity, Windows Server settings, event log Advanced -FixIssues -BlockQUIC
๐Ÿ”‘

Defender for Identity

View Labs โ†’
Script Description Level Parameters
Invoke-MDIReconSimulation.ps1 4-phase LDAP recon: privileged group enumeration, user enumeration, domain trust mapping, computer discovery Intermediate -DomainController
Invoke-MDICredentialTheftSim.ps1 Kerberoasting & AS-REP Roasting simulation for service accounts without pre-authentication Advanced -AttackType [Kerberoast|ASREPRoast|Both]
Invoke-MDILateralMovementSim.ps1 4-method lateral movement: Remote PowerShell, WMI, admin share access, PsExec-style service creation Advanced -TargetComputer
Invoke-MDIDCSyncSimulation.ps1 DCSync replication simulation using DSInternals for directory replication protocol requests Advanced -TargetAccount
๐Ÿ“ก

Microsoft Sentinel

View Labs โ†’
Script Description Level Parameters
Deploy-Sentinel.ps1 8-step deployment: subscription picker (cross-tenant supported), resource group (create or reuse), Log Analytics workspace (create or reuse), Sentinel solution via ARM template, UEBA, Entity Analytics, 10 free content hub solutions (~500+ content items), data connectors, 9-point live validation report. Color-coded info banner with disclaimer. No sensitive IDs shown on screen Beginner -SubscriptionId, -ResourceGroupName, -WorkspaceName, -Location
Deploy-SentinelDataLake.ps1 10-step data lake validation: subscription picker (cross-tenant), pre-flight checks, onboarding readiness, tier routing, retention, KQL testing, promotion jobs, notebook readiness, cost monitoring, audit trail, governance checklist. Safe to re-run - detects existing state, addresses only what's missing. Auto-invokes Deploy-Sentinel.ps1 if workspace is missing. Color-coded banner with disclaimer. No sensitive IDs shown on screen Advanced -SubscriptionId, -ResourceGroupName, -WorkspaceName, -Location
โ˜๏ธ

Defender for Cloud

View Labs โ†’
Script Description Level Parameters
Deploy-MDCProtection.ps1 6-step protection: enable Defender plans (Servers, Storage, SQL, AppService, KeyVault, Containers), auto-provisioning, email notifications, Secure Score Beginner -SubscriptionId
โš”๏ธ

Defender XDR

View Labs โ†’
Script Description Level Parameters
Invoke-XDRHuntingQueries.ps1 6 KQL hunting queries: multi-stage attack chains, credential access, lateral movement, email-to-endpoint correlation, ransomware, identity threats Advanced -QueryName [All|specific]
๐ŸŒ

Defender for Cloud Apps

View Labs โ†’
Script Description Level Parameters
Invoke-MDADiscovery.ps1 Cloud app discovery via Microsoft Graph API: enumerate discovered apps, audit OAuth registrations, retrieve MDA alerts Intermediate -InstallModules
Invoke-MDASessionPolicy.ps1 Conditional Access App Control session policies: CA policies with Cloud App Security controls for monitoring or blocking Intermediate -TargetAppName, -PolicyMode [MonitorOnly|BlockDownloads]
๐Ÿ“ง

Defender for Office 365

View Labs โ†’
Script Description Level Parameters
Invoke-MDOPhishingSimulation.ps1 Attack simulation training: connect to Exchange Online, verify Safe Links/Attachments, configure phishing campaigns Intermediate -TargetMailboxes, -SimulationType
Invoke-MDOMailFlowRules.ps1 Mail flow protection: external email tagging, executable attachment blocking, phishing quarantine rules Intermediate -Action [Create|Review|Cleanup]
๐Ÿ”’

Microsoft Purview

View Labs โ†’
Script Description Level Parameters
Deploy-PurviewDLP.ps1 DLP policy deployment: PII protection, financial data policies, sensitivity labels, content inspection rules Intermediate -Action [Deploy|Review|Cleanup]
Invoke-PurvieweDiscoverySearch.ps1 eDiscovery content search across Exchange, SharePoint, OneDrive with query builder and status tracking Intermediate -Action [Create|Status|Cleanup], -SearchQuery
๐Ÿ”

Defender Vulnerability Management

View Labs โ†’
Script Description Level Parameters
Invoke-DVMBaselineAssessment.ps1 5-phase assessment: Defender API connection, vulnerability data, CIS/Microsoft baselines, exposure analysis, remediation reports Intermediate -Action [Assess|Report|ExportCSV]
Invoke-DVMExposureHunting.ps1 KQL hunting queries for exposed services, browser extension risks, and exposure trends Advanced -Scope [InternetFacing|BrowserExtensions|Full]
๐Ÿ›ก๏ธ

Microsoft Entra

View Labs โ†’
Script Description Level Parameters
Invoke-EntraRiskAssessment.ps1 6-phase identity posture: risky users, CA policy audit, MFA adoption, legacy auth detection, KQL dashboards Intermediate -Action [Assess|RiskyUsers|CAPolicies|LegacyAuth|Report]
Invoke-EntraRiskSimulation.ps1 Risk policy validation: verify CA enforcement, sign-in risk evaluations, risk detection history Intermediate -Scenario [VerifyPolicies|CheckSignIns|ReviewDetections]
๐Ÿ“‹

App Governance

View Labs โ†’
Script Description Level Parameters
Invoke-AppGovAudit.ps1 OAuth app audit: enumerate service principals, identify high-privilege grants, publisher verification, dormant apps Intermediate -Action [Audit|HighRisk|Dormant|Export]
Invoke-AppGovRemediation.ps1 App remediation: revoke permission grants, disable service principals, rotate credentials, investigate activity Advanced -Action [Revoke|Disable|RotateCredentials|Investigate], -AppId
๐Ÿ”

Data Loss Prevention

Script Description Level Parameters
Deploy-EndpointDLP.ps1 Endpoint DLP deployment: policies scoped to devices, USB/print/clipboard rules, user notifications, lifecycle management Intermediate -Action [Deploy|Review|Cleanup]
Invoke-DLPIncidentHunting.ps1 KQL hunting for DLP incidents: risky identity correlation, bulk exfiltration, override abuse, cross-workload summary Advanced -QuerySet [RiskyIdentity|Exfiltration|OverrideAbuse|CrossWorkload|All]
โš™๏ธ

MCP Servers

Script Description Level Parameters
New-MCPServerProject.ps1 Scaffold a complete MCP server project: package.json, tsconfig, server entry point with tools, MSAL auth, and client config (Sentinel, XDR, or Blank templates) Beginner -ProjectName, -Template [Sentinel|XDR|Blank]
Deploy-MCPServerAzure.ps1 Deploy MCP server to Azure Container Apps: Dockerfile generation, ACR push, Container Apps provisioning, SSE transport, managed identity Intermediate -Action [Build|Deploy|Status|Cleanup], -ProjectPath
Test-MCPServer.ps1 Test & validate MCP servers: launch Inspector, run smoke tests, validate SSE transport connectivity, test Azure AD authentication flow Intermediate -Action [Inspector|SmokeTest|TestSSE|TestAuth]
๐ŸŽฏ

Enterprise Use Case Simulations

View Use Cases โ†’
Script Description Level Parameters
Invoke-EnterpriseUseCaseSimulation.ps1 Simulate enterprise security scenarios: ransomware attack chain, BEC investigation, insider threat detection, SOC transformation workflow with Security Copilot integration Advanced -Scenario [Ransomware|BEC|InsiderThreat|SOC], -SimulationMode
Invoke-AdvancedThreatSimulation.ps1 Multi-stage APT simulation: nation-state attack chain, supply chain compromise, multi-cloud lateral movement, proactive threat hunting with Defender XDR and Sentinel Advanced -Scenario [APT|SupplyChain|MultiCloud|Hunting], -SimulationMode
โ† All Labs 📦 Download All Scripts (.zip)