Sophos Central Endpoint and SEC: Computers fail/hang on boot after the Microsoft Windows April 9, 2019 update. Please follow knowledge base article 133945
Learn about the Benefits of Multi-Factor Authentication (MFA). Turn your MFA on now!
Fakedrop is a fake malware dropper to help you safely simulate some suspicious and malicious activity on Sophos Intercept X protected endpoints without fear of causing a malware outbreak. This also means the tool is only for use with our products and not competitors. The code is quick and dirty however it helps get the job done.
It's designed to be run one or more machines protected by Intercept X (with the Advanced with EDR license). On one machine, you can run Fakedrop in Discovery mode. This will generate some artifacts you can look for in Sophos Central. On another machine, you can run Fakedrop in Trigger mode. This will generate some malicious detections and a threat case for you to investigate and use to discover the activity on the Discovery mode machine.
Fakedrop comes in two flavours: a graphical version and a command line version (fakedrop-gui.exe and fakedrop-cli.exe, respectively). Naturally, the command line version is much smaller and perfect for use in scripts etc as part of a bigger demo.
You might get malicious detections for Fakedrop itself - this is to be expected! To simulate how droppers commonly work, Fakedrop will unpack itself during execution, and is not signed by a code signing certificate. Be prepared to whitelist Fakedrop in Central by following the documentation to allow an application that's been detected.
Fakedrop is also open source (mostly because of the liberal use of open source software I used to make it...) which means you're welcome to modify it and make it your own. The source code is included with the download.
fakedrop-1.0.1.zip - Fakedrop itself. Please read the README!
1200.HighScore.zip - (You don't need to download this) Highscore.exe is a benign, non-malicious PE file used to raise a detection by our ML engine with high confidence that it is malicious (for testing purposes). It is not malicious and safe to execute. Fakedrop downloads this (from this page) as part of throwing a number of malicious detections.