Home / Labs / Script Repository

Script Repository

Ready-to-run PowerShell scripts for every security lab.
Download, customize, and execute simulations in your own environment.

How to Use These Scripts

  1. Download the script file for the simulation you want to run
  2. Review the header comments for requirements, prerequisites, and expected alerts
  3. Open PowerShell as Administrator on your test device (never on production)
  4. Set execution policy if needed: Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass
  5. Run the script with the documented parameters
  6. Verify the expected alerts appear in the corresponding security portal
  7. Clean up by running the script's cleanup function or following the cleanup instructions

⚠️ Warning & Disclaimer: These scripts simulate attack techniques for educational purposes only. Run them exclusively in isolated lab environments. Never execute on production systems.

All scripts are provided by Lessi Coulibaly (LessIT) strictly for educational and training purposes. Lessi Coulibaly and LessIT are not liable for any damage, data loss, service disruption, security incidents, or any other harm caused directly or indirectly by the use or misuse of these scripts. They are provided "AS IS" without warranty of any kind. Each script requires you to accept this disclaimer before it will execute.

Jump to Section
💻 Defender for Endpoint 🔑 Defender for Identity 📡 Microsoft Sentinel ☁️ Defender for Cloud ⚔️ Defender XDR 📱 Defender for Cloud Apps 📧 Defender for Office 365 🔒 Microsoft Purview 🔍 Vulnerability Management 🛡️ Entra ID Protection 📋 App Governance 🔐 Data Loss Prevention ⚙️ MCP Servers 🎯 Use Cases
📦 Download All Scripts (.zip)
๐Ÿ’ป

Defender for Endpoint

View Labs โ†’
Script Description Level Parameters
Invoke-MDEDetectionTest.ps1 5-test detection validation: sensor check, official Microsoft test, EICAR download, network protection, encoded PowerShell command Beginner No params required
Invoke-RansomwareSimulation.ps1 6-phase safe ransomware simulation: staging, credential access, discovery, lateral movement, data collection, impact Advanced -CleanupOnly
Test-NetworkProtection.ps1 11-check network protection validator: NP mode, Defender AV prerequisites, SmartScreen, QUIC/ECH browser policies, firewall rules, cloud connectivity, Windows Server settings, event log Advanced -FixIssues -BlockQUIC
๐Ÿ”‘

Defender for Identity

View Labs โ†’
Script Description Level Parameters
Invoke-MDIReconSimulation.ps1 4-phase LDAP recon: privileged group enumeration, user enumeration, domain trust mapping, computer discovery Intermediate -DomainController
Invoke-MDICredentialTheftSim.ps1 Kerberoasting & AS-REP Roasting simulation for service accounts without pre-authentication Advanced -AttackType [Kerberoast|ASREPRoast|Both]
Invoke-MDILateralMovementSim.ps1 4-method lateral movement: Remote PowerShell, WMI, admin share access, PsExec-style service creation Advanced -TargetComputer
Invoke-MDIDCSyncSimulation.ps1 DCSync replication simulation using DSInternals for directory replication protocol requests Advanced -TargetAccount
๐Ÿ“ก

Microsoft Sentinel

View Labs โ†’
Script Description Level Parameters
Deploy-SentinelWorkspace.ps1 6-step deployment: resource group, Log Analytics workspace, Sentinel solution, Azure AD connector, analytics rule, automation rule Beginner -ResourceGroup, -WorkspaceName, -Location
โ˜๏ธ

Defender for Cloud

View Labs โ†’
Script Description Level Parameters
Deploy-MDCProtection.ps1 6-step protection: enable Defender plans (Servers, Storage, SQL, AppService, KeyVault, Containers), auto-provisioning, email notifications, Secure Score Beginner -SubscriptionId
โš”๏ธ

Defender XDR

View Labs โ†’
Script Description Level Parameters
Invoke-XDRHuntingQueries.ps1 6 KQL hunting queries: multi-stage attack chains, credential access, lateral movement, email-to-endpoint correlation, ransomware, identity threats Advanced -QueryName [All|specific]
๐ŸŒ

Defender for Cloud Apps

View Labs โ†’
Script Description Level Parameters
Invoke-MDADiscovery.ps1 Cloud app discovery via Microsoft Graph API: enumerate discovered apps, audit OAuth registrations, retrieve MDA alerts Intermediate -InstallModules
Invoke-MDASessionPolicy.ps1 Conditional Access App Control session policies: CA policies with Cloud App Security controls for monitoring or blocking Intermediate -TargetAppName, -PolicyMode [MonitorOnly|BlockDownloads]
๐Ÿ“ง

Defender for Office 365

View Labs โ†’
Script Description Level Parameters
Invoke-MDOPhishingSimulation.ps1 Attack simulation training: connect to Exchange Online, verify Safe Links/Attachments, configure phishing campaigns Intermediate -TargetMailboxes, -SimulationType
Invoke-MDOMailFlowRules.ps1 Mail flow protection: external email tagging, executable attachment blocking, phishing quarantine rules Intermediate -Action [Create|Review|Cleanup]
๐Ÿ”’

Microsoft Purview

View Labs โ†’
Script Description Level Parameters
Deploy-PurviewDLP.ps1 DLP policy deployment: PII protection, financial data policies, sensitivity labels, content inspection rules Intermediate -Action [Deploy|Review|Cleanup]
Invoke-PurvieweDiscoverySearch.ps1 eDiscovery content search across Exchange, SharePoint, OneDrive with query builder and status tracking Intermediate -Action [Create|Status|Cleanup], -SearchQuery
๐Ÿ”

Vulnerability Management

View Labs โ†’
Script Description Level Parameters
Invoke-DVMBaselineAssessment.ps1 5-phase assessment: Defender API connection, vulnerability data, CIS/Microsoft baselines, exposure analysis, remediation reports Intermediate -Action [Assess|Report|ExportCSV]
Invoke-DVMExposureHunting.ps1 KQL hunting queries for exposed services, browser extension risks, and exposure trends Advanced -Scope [InternetFacing|BrowserExtensions|Full]
๐Ÿ›ก๏ธ

Entra ID Protection

View Labs โ†’
Script Description Level Parameters
Invoke-EntraRiskAssessment.ps1 6-phase identity posture: risky users, CA policy audit, MFA adoption, legacy auth detection, KQL dashboards Intermediate -Action [Assess|RiskyUsers|CAPolicies|LegacyAuth|Report]
Invoke-EntraRiskSimulation.ps1 Risk policy validation: verify CA enforcement, sign-in risk evaluations, risk detection history Intermediate -Scenario [VerifyPolicies|CheckSignIns|ReviewDetections]
๐Ÿ“‹

App Governance

View Labs โ†’
Script Description Level Parameters
Invoke-AppGovAudit.ps1 OAuth app audit: enumerate service principals, identify high-privilege grants, publisher verification, dormant apps Intermediate -Action [Audit|HighRisk|Dormant|Export]
Invoke-AppGovRemediation.ps1 App remediation: revoke permission grants, disable service principals, rotate credentials, investigate activity Advanced -Action [Revoke|Disable|RotateCredentials|Investigate], -AppId
๐Ÿ”

Data Loss Prevention

Script Description Level Parameters
Deploy-EndpointDLP.ps1 Endpoint DLP deployment: policies scoped to devices, USB/print/clipboard rules, user notifications, lifecycle management Intermediate -Action [Deploy|Review|Cleanup]
Invoke-DLPIncidentHunting.ps1 KQL hunting for DLP incidents: risky identity correlation, bulk exfiltration, override abuse, cross-workload summary Advanced -QuerySet [RiskyIdentity|Exfiltration|OverrideAbuse|CrossWorkload|All]
โš™๏ธ

MCP Servers

View Labs โ†’
Script Description Level Parameters
New-MCPServerProject.ps1 Scaffold a complete MCP server project: package.json, tsconfig, server entry point with tools, MSAL auth, and client config (Sentinel, XDR, or Blank templates) Beginner -ProjectName, -Template [Sentinel|XDR|Blank]
Deploy-MCPServerAzure.ps1 Deploy MCP server to Azure Container Apps: Dockerfile generation, ACR push, Container Apps provisioning, SSE transport, managed identity Intermediate -Action [Build|Deploy|Status|Cleanup], -ProjectPath
Test-MCPServer.ps1 Test & validate MCP servers: launch Inspector, run smoke tests, validate SSE transport connectivity, test Azure AD authentication flow Intermediate -Action [Inspector|SmokeTest|TestSSE|TestAuth]
๐ŸŽฏ

Enterprise Use Case Simulations

View Use Cases โ†’
Script Description Level Parameters
Invoke-EnterpriseUseCaseSimulation.ps1 Simulate enterprise security scenarios: ransomware attack chain, BEC investigation, insider threat detection, SOC transformation workflow with Security Copilot integration Advanced -Scenario [Ransomware|BEC|InsiderThreat|SOC], -SimulationMode
Invoke-AdvancedThreatSimulation.ps1 Multi-stage APT simulation: nation-state attack chain, supply chain compromise, multi-cloud lateral movement, proactive threat hunting with Defender XDR and Sentinel Advanced -Scenario [APT|SupplyChain|MultiCloud|Hunting], -SimulationMode
โ† All Labs 📦 Download All Scripts (.zip)