id: windows-anonymous-sid-enumeration-allowed

info:
  name: Windows Allows Anonymous SID Enumeration
  author: princechaddha
  severity: medium
  description: Checks if anonymous users can enumerate Security Identifiers (SIDs), which can expose user information.
  impact: |
    Allowing anonymous SID enumeration can provide attackers with information to target specific users.
  remediation: |
    Disable anonymous SID enumeration to protect sensitive user information.
  tags: windows,anonymous,sid,security,code,windows-audit

self-contained: true

code:
  - pre-condition: |
      IsWindows();
    engine:
      - powershell.exe
    args:
      - -ExecutionPolicy
      - Bypass
    pattern: "*.ps1"
    source: |
      if ((Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa' -Name 'AnonymousSidNameTranslation' -ErrorAction SilentlyContinue).AnonymousSidNameTranslation -eq 1) { Write-Output 'Anonymous SID Enumeration Allowed'; }

    matchers:
      - type: word
        words:
          - "Anonymous SID Enumeration Allowed"
# digest: 4a0a004730450220381d7514da49979121faf59dc0a82e1638922d2223ccf9db2475b3bc836e6ef3022100d328f72d23ecf88abf4c52393f7c91acd950ad1809a179244c5ad5c9a669d161:922c64590222798bb761d5b6d8e72950