I suppose you already know that you can trigger AMP using the EICAR samples (eicar.org).
For rogue DHCP you could just run an open source DHCP server. Tftpd comes to mind.
But you can't do that remotely indeed. Unless you can access a client remotely. And I wouldn't do the DHCP test on a production network.