id: anonymous-sid-enumeration-enabled

info:
  name: Anonymous SID Enumeration Enabled
  author: princechaddha
  severity: medium
  description: Checks if anonymous users can enumerate Security Identifiers (SIDs).
  impact: |
    Allowing anonymous SID enumeration can expose user account details and increase the risk of unauthorized access.
  remediation: |
    Restrict anonymous access to SID enumeration to enhance security.
  tags: windows,code,windows-audit

self-contained: true

code:
  - pre-condition: |
      IsWindows();
    engine:
      - powershell
      - powershell.exe
    args:
      - -ExecutionPolicy
      - Bypass
    pattern: "*.ps1"
    source: |
      Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa' -Name 'EveryoneIncludesAnonymous'

    matchers:
      - type: word
        words:
          - "everyoneincludesanonymous : 1"
# digest: 490a004630440220341001bfbb00ae63b5f2edca540804bc4223a9782ebbd486299b97f2f07d517c0220638db550db92324c1cbbae53e979fad320c171dd260623483d31b2346d08050c:922c64590222798bb761d5b6d8e72950