id: winrm-basic-auth-enabled

info:
  name: WinRM Basic Authentication Enabled
  author: princechaddha
  severity: high
  description: Verifies if Windows Remote Management (WinRM) allows basic (unencrypted) authentication.
  impact: |
    Basic authentication can expose credentials in plaintext, allowing attackers to intercept and exploit sensitive information.
  remediation: |
    Disable Basic authentication and configure secure authentication mechanisms like Kerberos or certificate-based authentication.
  tags: windows,winrm,code,windows-audit

self-contained: true

code:
  - pre-condition: |
      IsWindows();
    engine:
      - powershell
      - powershell.exe
    args:
      - -ExecutionPolicy
      - Bypass
    pattern: "*.ps1"
    source: |
      (Get-Item WSMan:\localhost\Service\Auth).Basic

    matchers:
      - type: word
        words:
          - "True"

# digest: 4a0a0047304502201349c326172ad7c99321bdeef34b0c9f4de0bffbbe059d59b0c54d69297f9609022100cc01c084c4921e175d0cbd59a9a209863b9705dffa039856537b192b5ad18ed1:922c64590222798bb761d5b6d8e72950