id: remote-assistance-enabled

info:
  name: Check Remote Assistance Misconfiguration
  author: princechaddha
  severity: medium
  description: Checks if Remote Assistance is enabled contrary to security policies.
  impact: |
    Enabling Remote Assistance can lead to unauthorized access.
  remediation: |
    Disable Remote Assistance to comply with security policy.
  tags: remote-assistance, misconfiguration, windows-audit

self-contained: true

code:
  - pre-condition: |
      IsWindows();
    engine:
      - powershell
      - powershell.exe
    args:
      - -ExecutionPolicy
      - Bypass
    pattern: "*.ps1"
    source: |
      Get-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Control\Remote Assistance' -Name 'fAllowToGetHelp' -ErrorAction SilentlyContinue | Where-Object { $_.fAllowToGetHelp -eq 1 } | Select-Object -ExpandProperty fAllowToGetHelp

    matchers:
      - type: word
        words:
          - "1"
# digest: 4a0a0047304502205608231536f1bd79ab84afeb2d36ed63a17b46b11695ff183630728b80f6778e022100daf049a73e0a6cba85286b45c22cf8e4f854f972742e79e7a0edd087e18575fa:922c64590222798bb761d5b6d8e72950