id: winrm-basic-auth-enabled

info:
  name: WinRM Basic Authentication Enabled
  author: princechaddha
  severity: high
  description: Verifies if Windows Remote Management (WinRM) allows basic (unencrypted) authentication.
  impact: |
    Basic authentication can expose credentials in plaintext, allowing attackers to intercept and exploit sensitive information.
  remediation: |
    Disable Basic authentication and configure secure authentication mechanisms like Kerberos or certificate-based authentication.
  tags: windows,winrm,code,windows-audit

self-contained: true

code:
  - pre-condition: |
      IsWindows();
    engine:
      - powershell
      - powershell.exe
    args:
      - -ExecutionPolicy
      - Bypass
    pattern: "*.ps1"
    source: |
      (Get-Item WSMan:\localhost\Service\Auth).Basic

    matchers:
      - type: word
        words:
          - "True"