id: windows-autorun-enabled

info:
  name: AutoRun Enabled
  author: princechaddha
  severity: medium
  description: Checks if AutoRun is enabled for removable media.
  impact: |
    Enabling AutoRun for removable media can lead to automatic execution of malicious software.
  remediation: |
    Disable AutoRun to prevent potential malware from running automatically when a device is connected.
  tags: windows,autorun,code,windows-audit

self-contained: true

code:
  - pre-condition: |
      IsWindows();
    engine:
      - powershell.exe
    args:
      - -ExecutionPolicy
      - Bypass
    pattern: "*.ps1"
    source: |
      if ((Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' -Name 'NoDriveTypeAutoRun' -ErrorAction SilentlyContinue).NoDriveTypeAutoRun -ne '0xFF') { Write-Output 'AutoRun is enabled'; }

    matchers:
      - type: word
        words:
          - "AutoRun is enabled"
# digest: 4a0a00473045022043f59bb21d80f39d706a762ebb25bcd04866074dcc30e67188d6eff277fd47eb022100be9888f60d9f69d6b993829443131083030d1dd5b9d57dc29e79b480b303803b:922c64590222798bb761d5b6d8e72950