Skip to content
/ Honeypot-for-CVE-2025-59287-WSUS Public

Defensive PoC decoy for CVE-2025-59287 (WSUS) - emulates WSUS endpoints, captures request bodies and metadata, saves evidence for forensic analysis, and provides validation harness and detection rules.

26 stars 4 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

Lupovis/Honeypot-for-CVE-2025-59287-WSUS

BranchesTags

Repository files navigation

wsus-decoy

Defensive proof of concept decoy for CVE-2025-59287 (WSUS). The decoy emulates WSUS web endpoints on ports 8530 and 8531, captures full HTTP request bodies and headers, stores evidence for forensic analysis, and includes a Windows test harness to validate endpoint, file and process telemetry. It also includes example detection rules (KQL and Suricata) and a Sentinel playbook template.

IMPORTANT: This project is strictly defensive. It contains no exploit code. Run only in isolated lab or segmented test environment. Do not expose the decoy to production networks unless you understand the risks and have monitoring in place.

Repo contents

  • nginx config to proxy WSUS-like endpoints to a capture service
  • Flask-based capture service that writes request bodies and metadata to disk
  • Windows PowerShell harness to create the log file and spawn cmd.exe -> powershell -EncodedCommand for detection validation
  • Suricata rules to detect suspicious WSUS POSTs
  • KQL queries for high-confidence and early-warning detection in Microsoft Sentinel (From @0x534c Steven Lim on X)
  • Deployment and testing guides

Quickstart (local lab)

  1. Clone this repo.
  2. In capture/ create a Python venv, then pip install -r requirements.txt.
  3. Update nginx/nginx.conf if needed and run nginx on the decoy host listening on 8530.
  4. Start the Flask capture service (systemd unit provided).
  5. On a Windows test VM with EDR enabled, run windows-harness/wsus_test_harness.ps1.
  6. Generate a POST to http://<decoy-ip>:8530/ReportWebService/ReportWebService.asmx to test capture.
  7. Ingest evidence artifacts into your SIEM or Log Analytics workspace and run the provided KQL queries to validate.

See docs/deployment.md and docs/testing.md for full instructions.

For Enterprise

  • Visit lupovis.io

License and attribution

This project is licensed under the MIT License. See the LICENSE file for full license text.

Copyright (c) 2025 Lupovis

Attribution: Created by Lupovis
Repository: https://github.com/Lupovis/Honeypot-for-CVE-2025-59287-WSUS/

Safety note

Always run this in an isolated lab or segmented test network. Do not use real exploit payloads. The intent is to capture and analyze attacker activity in a safe way.

About

Defensive PoC decoy for CVE-2025-59287 (WSUS) - emulates WSUS endpoints, captures request bodies and metadata, saves evidence for forensic analysis, and provides validation harness and detection rules.

Resources

Readme
Activity
Custom properties

Stars

26 stars

Watchers

0 watching

Forks

4 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages