id: hyperv-enhanced-session-mode-enabled

info:
  name: Hyper-V Enhanced Session Mode Enabled
  author: princechaddha
  severity: medium
  description: Determines if Hyper-V Enhanced Session Mode is enabled unnecessarily.
  impact: |
    Enabling Enhanced Session Mode unnecessarily can expose the virtual machine to additional risks by increasing attack surface.
  remediation: |
    Disable Enhanced Session Mode if not required.
  tags: windows,hyperv,code,windows-audit

self-contained: true

code:
  - pre-condition: |
      IsWindows();
    engine:
      - powershell
      - powershell.exe
    args:
      - -ExecutionPolicy
      - Bypass
    pattern: "*.ps1"
    source: |
      $enhancedSession = Get-VMHost | Select-Object -ExpandProperty EnhancedSessionTransportType
      Write-Host "EnhancedSessionMode: $enhancedSession"

    matchers:
      - type: word
        words:
          - "EnhancedSessionMode: VMBus"
# digest: 4b0a00483046022100fb3af596ff992d78bfe7b65da821aeca50b0566a1479e624d0536b109e8fd03f022100862a31a71b72aa0301c931cdbaf9e6c882c18022d5800af7d32a08feea76f81f:922c64590222798bb761d5b6d8e72950