Fakedrop - a quick and dirty testing and demo tool for EDR

Fakedrop is a fake malware dropper to help you safely simulate some suspicious and malicious activity on Sophos Intercept X protected endpoints without fear of causing a malware outbreak. This also means the tool is only for use with our products and not competitors. The code is quick and dirty however it helps get the job done.

It's designed to be run one or more machines protected by Intercept X (with the Advanced with EDR license). On one machine, you can run Fakedrop in Discovery mode. This will generate some artifacts you can look for in Sophos Central. On another machine, you can run Fakedrop in Trigger mode. This will generate some malicious detections and a threat case for you to investigate and use to discover the activity on the Discovery mode machine.

Fakedrop comes in two flavours: a graphical version and a command line version (fakedrop-gui.exe and fakedrop-cli.exe, respectively). Naturally, the command line version is much smaller and perfect for use in scripts etc as part of a bigger demo.

You might get malicious detections for Fakedrop itself - this is to be expected! To simulate how droppers commonly work, Fakedrop will unpack itself during execution, and is not signed by a code signing certificate. Be prepared to whitelist Fakedrop in Central by following the documentation to allow an application that's been detected.

Fakedrop is also open source (mostly because of the liberal use of open source software I used to make it...) which means you're welcome to modify it and make it your own. The source code is included with the download.


fakedrop-1.0.2.zip- Fakedrop itself. Please read the README!