id: anonymous-sam-enumeration-enabled

info:
  name: Anonymous Enumeration of SAM Accounts Enabled
  author: princechaddha
  severity: high
  description: Checks if anonymous users can enumerate Security Account Manager (SAM) accounts, posing a security risk.
  impact: |
    Anonymous enumeration of SAM accounts exposes user information that could be leveraged in further attacks.
  remediation: |
    Disable anonymous enumeration of SAM accounts to prevent unauthorized information gathering.
  tags: windows,sam,enumeration,anonymous,code,windows-audit

self-contained: true

code:
  - pre-condition: |
      IsWindows();
    engine:
      - powershell
      - powershell.exe
    args:
      - -ExecutionPolicy
      - Bypass
    pattern: "*.ps1"
    source: |
      Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa' -Name 'RestrictAnonymousSAM'

    matchers:
      - type: word
        words:
          - "restrictanonymoussam : 0"
# digest: 4a0a00473045022100cffaf676539e7cfa4172a9dc716c010db11df5bce825418a56fc2e5eac15e82c02202e5dddabe3d3f93be2bc4b93ee434d9a81b2d72a31ff00fcd93252533cd6c143:922c64590222798bb761d5b6d8e72950