Exploit PoC & Detection Lab

Red Teamingv1.0.0

Benign-by-default exploit PoCs for 5 disclosed CVEs/techniques, each paired with Sigma/YARA/KQL detections so blue teams can validate coverage in a lab.

5
PoC Packs
11
Detection Rules
2
CISA KEV
9.8
Max CVSS

01Overview

Exploit PoC & Detection Lab is a purple-team repository that reproduces five publicly disclosed, patched vulnerabilities and techniques so blue teams can prove their detections actually fire. Every pack is self-contained and follows one hard rule set: benign by default (a PoC only ever writes a proof file or prints the run-as identity), impactful actions gated behind clearly-labeled off-by-default switches, and every exploit shipped alongside the detection content needed to catch it.

The catalog spans four CVEs and one ATT&CK technique across a deliberate spread of attack surfaces: a Windows AD DS / Network Configuration Operators local privilege escalation to SYSTEM (CVE-2025-21293), two unauthenticated RCEs that were mass-exploited in the wild and added to CISA KEV — WSUS .NET deserialization (CVE-2025-59287) and SAP NetWeaver Visual Composer file-upload (CVE-2025-31324) — an LSASS credential-dump technique via the signed LOLBin comsvcs.dll (T1003.001), and a safe, non-destructive assessment kit for a wormable HTTP.sys kernel RCE (CVE-2026-47291).

What makes it notable is the discipline. The HTTP.sys pack deliberately ships no weaponized exploit — because firing a kernel heap overflow BSODs the host and no public root-cause exists — and instead gives a definitive patched/vulnerable verdict from the MSRC-documented MaxRequestBytes condition. The SAP pack's benign JSP probe proves arbitrary-Java RCE without dropping a usable command shell, and even ships a YARA rule for its own probe so defenders can tell an authorized test from a real attacker. It's a reference for how to publish offensive research responsibly.

The audience is detection engineers, SOC teams, red/purple teamers, and researchers who want to validate coverage in an isolated, snapshotted lab. Each pack documents the vuln (CVSS, affected/patched versions, root cause), the exact run and cleanup steps, remediation guidance, and Sigma/YARA/Suricata/KQL/Sysmon detections mapped to MITRE ATT&CK.

02Key Capabilities

Five curated exploit/technique packs

Four disclosed CVEs plus one ATT&CK technique, each a self-contained, isolated directory that is runnable and cleanable on its own with no cross-pack dependencies.

Benign-by-default payloads

Default payloads only prove execution (write a proof file or print the run-as identity); genuinely impactful actions like spawning a SYSTEM shell or adding an admin are compile-time/runtime switches that ship OFF.

Detection paired with every exploit

No pack is complete without Sigma, and most add YARA, Suricata, KQL hunting queries, and Sysmon config so defenders can validate the full telemetry-to-alert pipeline.

Safe assessment over weaponization

For the wormable HTTP.sys kernel RCE, the repo ships a non-destructive checker (patch state, MaxRequestBytes config, exposure) instead of a BSOD-inducing overflow, giving a definitive verdict at zero risk to the target.

Gated, self-cleaning red-team drivers

The SAP and WSUS drivers default to dry-run/probe, gate the actual upload behind --confirm, track dropped artifacts in state files, and provide reliable --cleanup and self-destruct so tests leave no residue.

Detection-first credential-access lab

The LSASS/comsvcs pack exists to generate telemetry: a dry-run-by-default trigger whose robust detection keys on any process opening lsass.exe with a dump access mask (Sysmon EID 10), not a brittle string match.

Reproducible lab provisioning

Packs include setup/cleanup scripts (create the Network Configuration Operators lab user, install the WSUS role) to stand up a vulnerable target and tear it down safely.

Before/after patch demonstration

Each README documents the exact fix (KB / SAP Note / registry ACL change) and how to verify it, so a pack doubles as a patch-efficacy and remediation-validation exercise.

MITRE ATT&CK-mapped Sigma

Sigma rules carry attack.* tags spanning eight techniques (T1546, T1068, T1190, T1505.003, T1059.001/003, T1003.001, T1218.011) for coverage tracking; the primary rule in each pack is tagged (6 of the 10 rules).

Authoritative references per pack

Every README cites NVD, MSRC/vendor advisories, CISA KEV, and original research so findings are auditable and grounded, not hand-waved.

03Architecture

The repo is not a single application but a collection of five uniform PoC packs, each following the canonical template defined in CLAUDE.md: a README, a driver, optional payload source, lab provisioning scripts, and a detection/ folder. A pack's driver walks a linear pipeline — setup/register, trigger in the privileged context, check for proof, then clean up — while detection content is authored in parallel so the exploit and its signatures ship together.

1
Driver / entrypoint
A Python exploit.py or PowerShell trigger (or the CVE-2026-47291 safe checker) that orchestrates setup -> trigger -> check -> cleanup with argparse flags and safety gates like --confirm and dry-run defaults.
2
Payload layer
Minimal benign proof artifacts kept separate from the driver: the x64 perfctr_payload.c performance-counter DLL with off-by-default SPAWN_SHELL/ADD_ADMIN defines, and the identity-fingerprint poc_probe.jsp that self-destructs.
3
Lab provisioning
setup_lab / cleanup_lab / install_wsus scripts that build a vulnerable, isolated target (lab user in Network Configuration Operators, WSUS role) and reliably tear it down.
4
Detection layer
Per-pack detection/ folder holding Sigma rules, Sysmon EID configs, YARA signatures, Suricata IDS rules, and KQL hunting queries that fire on the telemetry the driver generates.
5
Remediation & docs
Each README ties the pack together with CVSS scoring, affected/patched matrices, exact run/cleanup steps, remediation (patch KB / SAP Note / hardening), and authoritative references.

04Project Structure

README.mdCatalog of the five packs with severity, type, and highlights, plus the shared usage and safety disclaimer.
CLAUDE.mdRepo conventions and hard safety guardrails: authorized-lab-only, benign-by-default, pair-with-detection, never-weaponize.
CVE-2025-21293-PoC/AD DS / Network Configuration Operators LPE to SYSTEM via a malicious performance-counter DLL; canonical template pack (driver, C payload, lab, detection).
CVE-2025-59287-PoC/WSUS unauthenticated .NET deserialization RCE (CISA KEV); ysoserial-fed AES-CBC SOAP gadget driver plus WSUS install script and Sigma/KQL.
CVE-2025-31324-PoC/SAP NetWeaver Visual Composer unauth file-upload RCE (CISA KEV); benign JSP probe, gated upload/cleanup driver, and Sigma/YARA/KQL detection.
T1003.001-LSASS-comsvcs-PoC/Detection-first LSASS credential dump via comsvcs.dll; dry-run PowerShell trigger with Sysmon/Sigma/KQL and RunAsPPL/Credential Guard hardening.
CVE-2026-47291-PoC/HTTP.sys kernel RCE safe-assessment pack: non-destructive checker (no overflow) plus Sigma/Suricata/KQL crash-and-oversized-request detection.
detection/ (per pack)The detection folder in each pack: Sigma rules, Sysmon XML, YARA, Suricata rules, and KQL hunting queries for blue-team validation.
LICENSEOpen-source license for the repository.
.gitignoreIgnore rules that already exclude native build output (*.dll/*.exe/*.obj/*.lib/*.pdb), Python caches, third-party tooling (ysoserial), and secrets/live-target data.

05Security Controls

Local privilege escalation (CVE-2025-21293)
Registers a perf-counter DLL under Dnscache/NetBT service keys and forces WmiPrvSE.exe (SYSTEM) to load it via a WMI query; detected with Sysmon EID 12/13/7 Sigma rules for perf-DLL registration outside System32 and unusual WmiPrvSE image loads.
Unauthenticated RCE — WSUS (CVE-2025-59287)
AES-128-CBC-encrypted AuthorizationCookie deserialization gadget over SOAP to Client/Reporting web services; detected via w3wp.exe/wsusservice.exe spawning a shell (near-zero-FP process-chain rule) and suspicious large POSTs to .asmx endpoints.
Unauthenticated RCE — SAP (CVE-2025-31324)
Missing-authorization Metadata Uploader POST drops a JSP that runs as <sid>adm; detected by uploader POST + webshell GET Sigma, a YARA rule for JSP command webshells, and SAP-process-spawns-shell hunting.
Credential access (T1003.001)
LSASS memory dump via signed comsvcs.dll MiniDump; high-fidelity detection keys on lsass.exe access masks (0x1010/0x1410/0x1438/0x143a/0x1fffff) in Sysmon EID 10 plus the rundll32+comsvcs+MiniDump command line.
Kernel RCE safe assessment (CVE-2026-47291)
Non-destructive checker reads OS build, hotfixes, HTTP service state, and MaxRequestBytes/MaxFieldLength to verdict patched vs. the MSRC-stated vulnerable config (>=65534), plus benign remote http.sys fingerprinting — never sends an oversized request.
Benign-by-default enforcement
Impactful behavior is compiled/flagged OFF (perfctr_payload.c SPAWN_SHELL/ADD_ADMIN defines default 0; JSP probe has no command exec; no bundled ?cmd= webshell or payload generator), keeping public artifacts non-weaponized.
Hardening & remediation guidance
Packs prescribe the fix and prevention: patch KBs / SAP Notes 3594142+3604119, RunAsPPL, Credential Guard, the Defender ASR LSASS rule, SeDebugPrivilege restriction, and MaxRequestBytes/firewall mitigations.
Multi-format detection coverage
10 Sigma rules whose attack.* tags span 8 ATT&CK techniques, 3 YARA rules, 3 Suricata IDS SIDs, 2 Sysmon configs, and 4 KQL hunting query sets for Defender XDR / Sentinel.

06Technology Stack

Languages
Python 3 (drivers + safe checker), PowerShell (lab/trigger scripts), C (x64 perf-counter DLL payload), JSP (SAP probe), Batch (build script)
Python dependencies
requests; pycryptodome (WSUS AES-CBC); declared per-pack in requirements.txt
External tooling
ysoserial.net for WSUS gadget generation (not bundled); MSVC cl.exe or MinGW-w64 for the native DLL; Sysmon for telemetry
Detection formats
Sigma (YAML), YARA, Suricata rules, Microsoft KQL, Sysmon XML
Target platforms
Windows 10/11 & Server 2012-2025, WSUS role, SAP NetWeaver AS Java
CI / tests
None — a lab/PoC repo (no test harness or CI pipeline); source + build scripts only, no committed build artifacts

07Quick Start

$ CVE-2025-21293: powershell -File .\lab\setup_lab.ps1; cd payload && .\build.bat; then as the low-priv user run python exploit.py --all and check C:\poc-cve-2025-21293\proof_*.txt
$ CVE-2025-59287: pip install -r requirements.txt; python exploit.py --target 10.0.0.50 --ysoserial C:\tools\ysoserial.exe (benign proof; confirm on the WSUS server, not the HTTP response)
$ CVE-2025-31324: python exploit.py -t sapnw.lab --port 50000 --check (safe probe), then --confirm to upload the benign JSP, then --cleanup to self-destruct the artifact
$ T1003.001: .\trigger_lsass_dump.ps1 (dry run), .\trigger_lsass_dump.ps1 -Execute to generate telemetry, then -Cleanup to securely delete the dump
$ CVE-2026-47291: python check_cve_2026_47291.py --local for a patch/MaxRequestBytes verdict, and --target 10.0.0.10 for benign http.sys exposure only
$ General: stand up an isolated, snapshotted lab target, run the PoC, confirm your detections fire, then clean up and revert the snapshot

08Compliance & Frameworks

MITRE ATT&CK
Sigma rules tagged across 8 techniques including T1546, T1068, T1190, T1505.003, T1059.001/003, T1003.001, T1218.011.
CISA KEV
Two packs (CVE-2025-59287 WSUS, CVE-2025-31324 SAP) target Known Exploited Vulnerabilities catalog entries.
CVSS 3.1
Every CVE pack documents the base vector and score (9.8 / 9.8 / 9.8 / 8.8), with temporal scoring on HTTP.sys.
CWE
Root causes classified by weakness — CWE-502 (WSUS deserialization), CWE-190 -> CWE-122 (HTTP.sys integer -> heap overflow).
Sigma
Detections authored in the open Sigma standard for portability across SIEM backends.
Atomic Red Team / LOLBAS
The T1003.001 pack references LOLBAS (comsvcs) and Atomic Red Team for technique cross-validation.

Explore Exploit PoC & Detection Lab

Full source, documentation, and deployment guides live on GitHub.