id: windows-active-desktop-enabled

info:
  name: Active Desktop Enabled
  author: princechaddha
  severity: medium
  description: Checks if Active Desktop is enabled, which can be exploited to deliver malicious content.
  impact: |
    Enabling Active Desktop allows attackers to inject malicious content or scripts.
  remediation: |
    Disable Active Desktop unless it's specifically required.
  tags: windows,active-desktop,security,code,windows-audit

self-contained: true

code:
  - pre-condition: |
      IsWindows();
    engine:
      - powershell.exe
    args:
      - -ExecutionPolicy
      - Bypass
    pattern: "*.ps1"
    source: |
      if ((Get-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer' -Name 'NoActiveDesktop' -ErrorAction SilentlyContinue).NoActiveDesktop -eq 0) { Write-Output 'Active Desktop enabled'; }

    matchers:
      - type: word
        words:
          - "Active Desktop enabled"
# digest: 4b0a00483046022100dd7bd8214f67351b1f25da25ba78a12be98578f4226ecf715c03dbada396c81002210081f219e777b23470afed5bfc517e0da110eafa38c9ab9d6bf018757207d482c9:922c64590222798bb761d5b6d8e72950