Problem Statement Details

Problem Statement ID
1684
Problem Statement Title
Agent-less Windows System Vulnerability and Network Scanner
Description
Background: It has been observed that most individuals are hasty when it comes to
upgrade or update their Windows systems to mitigate any adversary actions.
Henceforth, a system vulnerability detector and scanner should be in place to audit
and verify the system and network based vulnerabilities (if exist) to rectify the
misconfigurations and mitigate any prominent threats to the individual or
organization. Description: The above problem statement envisions a blue team
approach to identify and map potential vulnerabilities of a Windows OS subsystem to
better secure and mitigate against various threats (System Level and Network
Level). Expected Solution: • The problem statement should result in a solution
which can provide possible vulnerabilities of the underlined Windows OS • The
AV/EDR friendly solution should have an agent-less mechanism to find the
vulnerabilities and must be able to search and crawl for the related available
open-source exploits and their patches • Some of the key information at the system
level that must be promptly identified by the proposed solution should fall under
the following categories: ? System Information: ? Basic OS info ? DotNet versions ?
Providers registered for AMSI ? Registered antivirus (via WMI) ? Classic and
Advanced audit policy settings present in registry keys ? Auto run
executable/scripts/programs ? Standard and Non-standard firewall rules ? Windows
Defender settings ? User and machine personal certificate files ? Current
environment PATH folders, environment variables and SDDL information ? Lists
files/folders. By default, lists users' downloads, documents, and desktop folders ?
Information about a file (version information, AMSIProvidersProviders registered
for AMSI) ? Installed hotfixses (via WMI) ? Installed products via the registry ?
Local Group Policy settings applied to the machine/local users ? Non-empty local
groups, displays all groups ? Local users, whether they're active/disabled ? All
Microsoft updates (via COM, WMI) ? NTLM authentication settings ? Saved RDP
connections stored in the registry ? Current incoming RDP sessions ? Remote Desktop
Server/Client Settings ? Secure Boot configuration ? Sysmon configuration from the
registry ? UAC system policies via the registry ? Windows Defender settings
(including exclusion locations) ? Searches PowerShell console history files for
sensitive regex matches ? Network Information: ? Lists the current ARP table and
adapter information ? DNS cache entries (via WMI) ? Windows network profiles ?
Network shares exposed by the machine ? Current TCP and UDP connections and their
associated processes and services ? Current RPC endpoints mapped ? Open ports
status • Additionally, the underlined solution should have the capability to
provide information at the network level that must fall under the following
categories: ? System interface connectors ? LLDP / CDP connections (to
infrastructure devices) ? Attached network vectors (systems connected within the
VLAN) ? And the capability to formulate network diagram using these information •
Should be able to work with latest Windows 10/11 builds • The proposed solution
should be able to consolidate its findings into a report file (pdf and/or html
format)
Organization National Technical Research Organisation (NTRO)
Department National Technical Research Organisation (NTRO)
Category Software
Theme Blockchain & Cybersecurity
Youtube Link
Dataset Link For Windows Enumeration, refer WinPEAS script from GitHub, Posh-
Sysmon (GitHub), Posh-SecMod (GitHub), SecurityPolicyDSC (GitHub) ? For crawling
purpose, refer exploitDB, CVEDetails, VulnDB, CXSecurity, Windows-Exploit-Suggestor
(GitHub) ? For Network Enumeration and Mapping, refer Posh-SecMod (GitHub), WinCDP
(GitHub), LDWin (GitHub), Network Topolog
Contact info