winsec-test-mcp by Cosmicjedi - MCP Server

Windows Security Testing MCP Server

A Model Context Protocol (MCP) server that provides comprehensive Windows software testing and security analysis capabilities using Windows containers, Sysinternals Suite, and advanced monitoring tools.

Purpose

This MCP server provides a secure interface for AI assistants to install Windows applications in an isolated environment, monitor their behavior, detect security vulnerabilities, and analyze for potential malware activity.

Features

Current Implementation

install_and_monitor - Install Windows applications while monitoring system changes, registry modifications, and process behavior
check_permissions - Analyze file and directory permissions for privilege escalation vulnerabilities
scan_for_malware - Scan files using Windows Defender and pattern detection for malware indicators
monitor_runtime_behavior - Monitor application runtime including API calls, network activity, and DLL injections
analyze_update_mechanism - Check update mechanisms for security vulnerabilities like unsigned updates
generate_security_report - Create comprehensive security analysis reports for tested applications
quarantine_threat - Isolate potentially malicious files with restricted permissions

Prerequisites

Docker Desktop with Windows containers support enabled
Docker MCP CLI plugin (docker mcp command)
Windows 10/11 or Windows Server 2019+ (for Windows containers)
Optional: VirusTotal API key for enhanced malware detection

Installation

Step 1: Clone the Repository

git clone https://github.com/Cosmicjedi/winsec-test-mcp.git
cd winsec-test-mcp

Step 2: Build Docker Image

# Switch Docker to Windows containers mode
# Right-click Docker Desktop tray icon → "Switch to Windows containers..."

# Build the image
docker build -t winsec-test-mcp-server .

Step 3: Configure MCP

Follow the detailed setup instructions in the documentation to integrate with Claude Desktop.

Usage Examples

In Claude Desktop, you can ask:

"Install this software and monitor what system changes it makes"
"Check if this executable has any permission vulnerabilities"
"Scan this file for malware and suspicious patterns"
"Monitor this application's network connections and API calls for 2 minutes"
"Analyze the update mechanism of this application for security issues"
"Generate a security report for the software we just tested"
"Quarantine this suspicious file with a detailed reason"

Architecture

Claude Desktop → MCP Gateway → Windows Security Testing Server → Windows Container
                                                              ↓
                                                    Sysinternals Suite
                                                    Windows Defender
                                                    PowerShell 7
                                                    Security Analysis Tools

Security Testing Capabilities

Installation Monitoring

Process Monitor integration for detailed system activity logging
Sysmon for security event logging
Pre/post installation system snapshots
Registry change detection
Service and autorun analysis

Permission Analysis

ACL vulnerability detection
Weak permission identification
PATH hijacking detection
NULL DACL detection
Privilege escalation risk assessment

Malware Detection

Windows Defender integration
YARA rule scanning
Signature verification
Suspicious pattern detection
Behavioral analysis

Runtime Monitoring

API call monitoring
Network connection tracking
File handle analysis
DLL injection detection
Resource usage monitoring

Update Security

Update file permission analysis
Signature verification for updates
Insecure update URL detection
Scheduled task privilege analysis
Update hijacking vulnerability detection

License

MIT License