Skip to content

mhelail/MalwareSandboxSimulator

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
MalwareSandboxSimulator
MalwareSandboxSimulator
 
 
assets
assets
 
 
.gitignore
.gitignore
 
 
MalwareSandboxSimulator.sln
MalwareSandboxSimulator.sln
 
 
README.md
README.md
 
 

Repository files navigation

Malware Sandbox Simulator

A Windows WinForms app that simulates malware-like behavior and produces EDR/IR-style telemetry (process, file, registry, network, persistence artifacts) for training, demos, and lab exercises.

Simulation only. No real malware runs.
The app does not execute payloads, does not encrypt/delete your real files, and does not modify your real registry.
Scenarios are script-driven and the app builds an in-memory endpoint state that is visualized in the UI.

What this project is for

  • Teaching “what defenders see” (process chains, persistence, C2 patterns, impact patterns)
  • SOC / DFIR practice using timelines and artifacts
  • Demonstrations and workshops (repeatable, safe, explainable)

What this project is NOT

  • A real sandbox / detonation chamber
  • A real EDR
  • A malware development framework

Features

  • Scripted scenarios (JSON) loaded from Scenarios/Scripts
  • Scenario narrative + steps (IR-friendly story context + MITRE tags)
  • Playback controls: Run / Pause / Step / Speed / Jump-to-step
  • UI views (depending on your build): Timeline, Artifacts, Network, Persistence (Services / Tasks / Startup), Alerts
  • Detection engine (rule-based) that raises alerts from simulated telemetry

Requirements

  • Windows 10/11
  • .NET SDK 9.x (project target: net9.0-windows)
  • Optional: Visual Studio 2022+ (recommended for WinForms designer)

Build and run

Run from source (Visual Studio)

Clone the repo:

git clone https://github.com/mhelail/MalwareSandboxSimulator.git
cd MalwareSandboxSimulator

Then:

  1. Open MalwareSandboxSimulator.sln
  2. Set MalwareSandboxSimulator as the startup project
  3. Build & Run

Run from source (dotnet)

dotnet restore
dotnet build -c Release
dotnet run --project MalwareSandboxSimulator/MalwareSandboxSimulator.csproj

How to use

  1. Select a scenario on the left
  2. Click Run (or use the replay controls if available)
  3. Watch:
    • Processes / Files / Registry
    • Timeline / Network / Persistence tabs
    • Alerts triggered by simulated telemetry
  4. Click Reset to restore a clean snapshot

Scenario scripts (JSON)

Where scripts live

Scenarios live in:

Scenarios/Scripts/

They are copied to the build output automatically so the app can load them when launched from bin/.

At runtime, scripts are loaded from:

<AppBaseDir>/Scenarios/Scripts

Included scenario scripts

This repository includes multiple scenario scripts under Scenarios/Scripts/. Common examples:

  • APC Injection (T1055.004) → svchost(Dnscache) Target → ImageLoad Artifact → Low-noise Beacons (Simulated)
    Script: Scenarios/Scripts/apc_injection_svchost.json (id: apc_injection_svchost)

  • Chained Intrusion → LSASS Credential Access → WMI/Service Lateral Movement → Defense Evasion → DNS Tunneling Exfil (Simulated)
    Script: Scenarios/Scripts/credential_lateral_evasion_exfil_v1.json (id: credential_lateral_evasion_exfil)

  • Fileless Chain → Office → PowerShell (Obfuscated) → Regsvr32 Signed Proxy → In-memory Fetch → Low-noise Beacons (Simulated)
    Script: Scenarios/Scripts/fileless_lolbin_chain.json (id: fileless_lolbin_chain)

  • Ransomware → Staging + Defense Evasion + Scheduled Task → Encryption + Ransom Note + Cleanup (Simulated)
    Script: Scenarios/Scripts/generic_ransomware_persistence.json (id: generic_ransomware_persistence)

  • Helpdesk Updater → LSASS Access + WMI/Service Exec + Defense Evasion + DNS Exfil (Simulated)
    Script: Scenarios/Scripts/helpdesk_lsass_wmi_dns_exfil.json (id: helpdesk_lsass_wmi_dns_exfil)

  • Keylogger → HKCU Run Persistence + HTTPS Batch Exfil + Reboot Resume (Simulated)
    Script: Scenarios/Scripts/keylogger_runkey_batch_exfil.json (id: keylogger_runkey_batch_exfil)

  • NotPetya-style Wiper → Supply Chain + Lateral Movement + Recovery Inhibition + Disk/MBR Impact (Simulated)
    Script: Scenarios/Scripts/notpetya_wiper_disruption.json (id: notpetya_wiper_disruption)

  • Infostealer (RedLine-style) → Profile Harvest + Staging (ZIP) + C2 Check-in/Settings + Burst Upload + Cleanup (Simulated)
    Script: Scenarios/Scripts/redline_infostealer_log.json (id: redline_infostealer_log)

  • Scheduled Task Persistence → AtLogon (DailySchedule) Launch → Low-noise DNS/HTTPS + Light Recon (Simulated)
    Script: Scenarios/Scripts/scheduled_task_atlogon_persist.json (id: scheduled_task_atlogon_persist)

  • Startup Folder Persistence → LNK Drop + Shortcut → Signed Proxy Execution → Low-noise Beacons (Simulated)
    Script: Scenarios/Scripts/startup_folder_lnk_persist.json (id: startup_folder_lnk_persist)

  • Storm-1811-style Helpdesk/QuickAssist → Persistence → Recovery Tampering → Ransomware Impact (Simulated)
    Script: Scenarios/Scripts/storm1811_quickassist_ransomware.json (id: storm1811_quickassist_ransomware)

  • ServiceDLL Persistence → svchost Service Host → Parameters\ServiceDll → Service Start + Low-noise Beacons (Simulated)
    Script: Scenarios/Scripts/svchost_servicedll_persist.json (id: svchost_servicedll_persist)

  • Winlogon Notify Persistence → DLLName + Userinit Impersonate + Multi-Event Callbacks → Post-Logon Beacons (Simulated)
    Script: Scenarios/Scripts/winlogon_notify_persist.json (id: winlogon_notify_persist)

Scenario schema (v2)

Each script contains:

  • metadata: id, name, description, optional global mitre
  • caseNarrative: IR-friendly story context (what happened and what to look for)
  • steps: ordered “phases” that can be jumped to (and can carry their own MITRE tags)
  • actions: ordered simulated events (process/file/registry/network/persistence/etc.)

Supported action types (current)

Simulated through in-memory state + UI telemetry:

  • process_start
  • drop_file
  • file_encrypt
  • file_delete
  • registry_set
  • registry_delete
  • dns_query
  • http_request (also accepts http_beacon / network_beacon as aliases, if present)
  • service_create
  • task_create
  • startup_add
  • keylogger_start
  • keylogger_stop
  • artifact_note

Detection and alerts (simple rule-based)

The simulator converts actions into telemetry events and evaluates them against lightweight rules, then surfaces alerts in the Alerts tab.

Example detections commonly included:

  • DNS tunneling pattern detection (long/high-entropy labels + repeated queries in a window)
  • Masquerading / suspicious process patterns
  • Office → PowerShell style execution patterns

This is intentionally simple and educational (not a real EDR).

Project layout (high level)

  • Scenarios/
    JSON scenario scripts + loader + IR steps/narratives

  • Core/
    Scenario engine, playback controller, simulation clock, detection engine, training/session logic

  • UI/
    WinForms UI + pipeline context that emits telemetry → detection → alerts

If present, see behavior_map.md for a mapping of behaviors → telemetry/UI.

Screenshots

Timeline

Alerts

Network

Processes

Files

Safety note

This repository is designed for defensive education and safe simulations.

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages