来源

关联漏洞

描述

Defensive PoC decoy for CVE-2025-59287 (WSUS) - emulates WSUS endpoints, captures request bodies and metadata, saves evidence for forensic analysis, and provides validation harness and detection rules.

介绍

# wsus-decoy

Defensive proof of concept decoy for CVE-2025-59287 (WSUS). The decoy emulates WSUS web endpoints on ports 8530 and 8531, captures full HTTP request bodies and headers, stores evidence for forensic analysis, and includes a Windows test harness to validate endpoint, file and process telemetry. It also includes example detection rules (KQL and Suricata) and a Sentinel playbook template.

> IMPORTANT: This project is strictly defensive. It contains no exploit code. Run only in isolated lab or segmented test environment. Do not expose the decoy to production networks unless you understand the risks and have monitoring in place.

## Repo contents
- nginx config to proxy WSUS-like endpoints to a capture service
- Flask-based capture service that writes request bodies and metadata to disk
- Windows PowerShell harness to create the log file and spawn cmd.exe -> powershell -EncodedCommand for detection validation
- Suricata rules to detect suspicious WSUS POSTs
- KQL queries for high-confidence and early-warning detection in Microsoft Sentinel [(From @0x534c Steven Lim on X)](https://x.com/0x534c/status/1982034763805581524)
- Deployment and testing guides

## Quickstart (local lab)
1. Clone this repo.
2. In `capture/` create a Python venv, then `pip install -r requirements.txt`.
3. Update `nginx/nginx.conf` if needed and run nginx on the decoy host listening on 8530.
4. Start the Flask capture service (systemd unit provided).
5. On a Windows test VM with EDR enabled, run `windows-harness/wsus_test_harness.ps1`.
6. Generate a POST to `http://<decoy-ip>:8530/ReportWebService/ReportWebService.asmx` to test capture.
7. Ingest evidence artifacts into your SIEM or Log Analytics workspace and run the provided KQL queries to validate.

See `docs/deployment.md` and `docs/testing.md` for full instructions.

## For Enterprise

- Visit lupovis.io 

## License and attribution

This project is licensed under the MIT License. See the `LICENSE` file for full license text.

**Copyright (c) 2025 Lupovis**

Attribution: Created by `Lupovis`  
Repository: https://github.com/Lupovis/Honeypot-for-CVE-2025-59287-WSUS/

## Safety note
Always run this in an isolated lab or segmented test network. Do not use real exploit payloads. The intent is to capture and analyze attacker activity in a safe way.

文件快照

 [4.0K]  /data/pocs/efbadf58c03b18d68b988f6e9d735a4ff113ebc7
├── [4.0K]  capture
│   ├── [1.7K]  capture_service.py
│   ├── [  11]  requirements.txt
│   └── [4.0K]  systemd
│       └── [ 261]  wsus-capture.service
├── [4.8K]  deploy_decoy.sh
├── [4.0K]  detections
│   ├── [4.0K]  kql
│   │   ├── [ 415]  early_warning_kql.txt
│   │   └── [1.4K]  high_confidence_kql.txt
│   ├── [4.0K]  sentinel_playbook
│   │   └── [ 792]  sentinel_playbook_template.md
│   └── [4.0K]  suricata
│       └── [ 644]  wsus_decoy.rules
├── [ 380]  docker-compose.yml
├── [4.0K]  docs
│   ├── [ 769]  deployment.md
│   ├── [ 393]  security_considerations.md
│   └── [ 610]  testing.md
├── [4.0K]  nginx
│   └── [ 854]  nginx.conf
├── [2.3K]  README.md
└── [4.0K]  windows-harness
    └── [1.2K]  wsus_test_harness.ps1

9 directories, 15 files

备注