id: smb-v1-enabled

info:
  name: SMB v1 Protocol Enabled
  author: princechaddha
  severity: critical
  description: Detects if SMB v1 protocol is enabled, which is vulnerable to numerous exploits.
  impact: |
    SMB v1 is vulnerable to multiple attacks, including the infamous WannaCry ransomware.
  remediation: |
    Disable SMB v1 protocol to enhance the security of your system.
  tags: windows,smb,network,protocol,code,windows-audit

self-contained: true

code:
  - pre-condition: |
      IsWindows();
    engine:
      - powershell
      - powershell.exe
    args:
      - -ExecutionPolicy
      - Bypass
    pattern: "*.ps1"
    source: |
      (Get-SmbServerConfiguration).EnableSMB1Protocol

    matchers:
      - type: word
        words:
          - "True"
# digest: 4b0a00483046022100ec7a4d00dca9aaec04dacb6360a1e4ac43cd5bf12d5220fe3e0cfd2834420732022100e753ea5c51bb82e13a24d65e62a730ff489be81c01baa544b0d1cc9813ed1634:922c64590222798bb761d5b6d8e72950