Defender can show as fully healthy.
That does not mean itβs working.
This framework helps you prove it.
This framework allows you to safely simulate activity and validate how Defender actually behaves on an endpoint. Designed to be simple to run with minimal setup. This script is run from the local machine that is enrolled into Defender for Endpoint.
Results may vary depending on:
- Defender mode (active vs passive)
- Onboarding state
- Licensing level
- Telemetry delays
Always validate device configuration before assuming failure.
Defender can appear fully onboarded and healthy.
But that does not guarantee detection and response are working as expected.
This framework helps validate that behavior in a controlled, safe way.
- Security engineers validating Defender deployments
- Administrators onboarding Microsoft Defender for Endpoint
- Teams testing security controls in lab or production environments
- OverviewWhat
- This Framework Validates
- Architecture
- Features
- Quick Start
- Test Categories
- Expected Outcomes & Verification
- Reporting
- Repository Structure
- Roadmap
- Requirements
- Disclaimers
Deploying Microsoft Defender for Endpoint is only part of the solution.
This framework helps answer a more important question:
Are your endpoint security controls actually working as expected?
This project provides a structured approach to validating:
- Endpoint protection readiness
- Prevention controls (AV / ASR)
- Detection and telemetry generation
- Alert visibility through Microsoft Graph
- Analyst verification workflows
This is not a vulnerability scanner or offensive tool.
It is a defensive validation framework designed to safely test:
βοΈ Defender AV detection capability (EICAR) βοΈ Endpoint Detection & Response (EDR) telemetry βοΈ Attack Surface Reduction (ASR) configuration βοΈ Microsoft Graph alert visibility βοΈ Endpoint sensor and platform health ποΈ Architecture
The framework is organized into validation domains:
- Platform Health
- Defender sensor (Sense service)
- AV status and readiness
- Prevention Validation
- Antivirus detection testing
- ASR configuration checks
- Detection & Telemetry
- Benign EDR simulation (encoded PowerShell)
- Timeline artifact generation
- Cloud Visibility
- Microsoft Graph connectivity
- Alert retrieval and inspection
- Reporting
- JSON output for automation
- HTML report for analysis and demonstration
- GUI-based execution (Invoke-MDEGui.ps1)
- Modular PowerShell framework (MDETestFramework.psm1)
- Safe AV validation using EICAR test string
- Benign EDR simulation for telemetry validation
- Microsoft Graph integration for alert retrieval
- JSON + HTML reporting outputs
- Designed for lab and enterprise validation scenarios
- Clone the repository:
git clone https://github.com/dferrell30/MDE-Test-Framework.git
cd MDE-Test-Framework#Bypass if needed
Set-ExecutionPolicy Bypass -Scope CurrentUser#Powershell once at root
.\Invoke-MDEGui.ps1- Run validation tests
- Select desired test options
- Connect to Microsoft Graph (optional)
- Execute tests
- Review results in HTML or JSON output
π§ͺ Tested in a lab environment. Results may vary based on Defender configuration, onboarding state, and licensing.
- Platform Health
- Validates Defender sensor and service status
- Confirms AV readiness and configuration
- Prevention Validation
- Executes EICAR test for AV detection validation
- Verifies ASR rule configuration presence
- Detection & Telemetry
- Executes benign encoded PowerShell
- Generates telemetry for timeline and hunting validation\
- Cloud Visibility
- Tests Microsoft Graph connectivity
- Retrieves recent Defender alerts
| Test | Expected Result | Where to Validate | Why It Matters |
|---|---|---|---|
| EICAR Test | File detected or quarantined | Device timeline / alerts | Confirms AV detection is working |
| PowerShell Simulation | Process execution logged | Device timeline | Validates EDR telemetry visibility |
| Alert Retrieval | Alerts returned via Graph | MDE Portal / API | Ensures alerts are generated and accessible |
| ASR Checks | Rules enforced or reported | Defender settings / logs | Verifies attack surface reduction coverage |
Note: Some detections depend on policy configuration, sensitivity levels, and environment tuning.
π Reporting
The framework generates:
- JSON Output
- Structured results for automation
- Suitable for pipelines or further analysis
- HTML Report
- Human-readable validation report
- Useful for demos, audits, and validation evidence
MDE-Test-Framework/ βββ README.md βββ CHANGELOG.md βββ LICENSE βββ .gitignore βββ SECURITY.md βββ Invoke-MDEGui.ps1 βββ MDETestFramework.psm1 βββ docs/ β βββ PLAYBOOK.md βββ logs/ βββ .gitkeep
- ASR behavioral validation tests
- Expected vs actual result mapping
- Enhanced HTML reporting (analyst guidance)
- Alert-to-test correlation
- Advanced Hunting (KQL) integration
- Expanded validation scenarios
- Windows endpoint with Microsoft Defender for Endpoint onboarded
- PowerShell 5.1+ or PowerShell 7+
- Microsoft Graph PowerShell SDK (for cloud validation)
- Appropriate permissions for Graph queries
This project is intended for defensive security validation and educational use.
Do not use this framework in unauthorized environments Do not use for offensive or malicious purposes Always perform testing in approved lab or enterprise environments Some tests generate telemetry that may trigger alerts
The author is not responsible for misuse of this tool or unintended impacts resulting from its execution.
This tool is provided for educational, testing, and security validation purposes only.
Use of this tool should be limited to:
- Authorized environments
- Lab or approved enterprise systems
The author assumes no liability or responsibility for:
- Misuse of this tool
- Damage to systems
- Unauthorized or improper use
By using this tool, you agree to use it in a lawful and responsible manner.
This project is not affiliated with or endorsed by Microsoft.
This project is an independent work developed in a personal capacity.
The views, opinions, code, and content expressed in this repository are solely my own and do not reflect the views, policies, or positions of any current or future employer, client, or affiliated organization.
No employer, past, present, or future, has reviewed, approved, endorsed, or is in any way associated with these works.
This project was developed outside the scope of any employment and without the use of proprietary, confidential, or restricted resources.
Beginning with the current Community Edition release, Shadow Suite repositories transitioned to the Business Source License 1.1 (BSL).
This change was made to support:
- long-term platform sustainability
- consistent Shadow Suite ecosystem licensing
- branding protection
- future platform development
- responsible community distribution
Shadow Suite Community Edition remains available for:
- personal use
- research
- educational use
- defensive security operations
- internal organizational evaluation
Commercial redistribution, managed service integration, SaaS hosting, rebranding, or derivative commercial offerings require written authorization.
Previous releases remain subject to the license terms under which they were originally published.