id: auto-logon-enabled

info:
  name: AutoLogon Enabled
  author: princechaddha
  severity: medium
  description: Checks if automatic logon is enabled, allowing users to bypass login prompts.
  impact: |
    AutoLogon can allow unauthorized users to access the system without authentication.
  remediation: |
    Disable AutoLogon to ensure users are prompted for credentials.
  tags: autologon,login,code,windows-audit

self-contained: true

code:
  - pre-condition: |
      IsWindows();
    engine:
      - powershell
      - powershell.exe
    args:
      - -ExecutionPolicy
      - Bypass
    pattern: "*.ps1"
    source: |
      (Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' -Name 'AutoAdminLogon' -ErrorAction SilentlyContinue).AutoAdminLogon -eq '1'

    matchers:
      - type: word
        words:
          - "True"
# digest: 4b0a004830460221009d777ec93475e84cd0be934d2fd26fbc6098cc97b17a39e0e12c7159e7b0c210022100cf2d9c35201666ef87feebc3ff5f075d24b17342bebf6fd0970cfe7fc2d6336d:922c64590222798bb761d5b6d8e72950