id: winrm-enabled

info:
  name: Windows Remote Management (WinRM) Enabled
  author: princechaddha
  severity: medium
  description: Checks if WinRM is enabled when not required.
  impact: |
    Enabling WinRM unnecessarily can expose the system to remote command execution attacks.
  remediation: |
    Disable WinRM if it is not being used to reduce the attack surface.
  tags: windows,winrm,code,windows-audit

self-contained: true

code:
  - pre-condition: |
      IsWindows();
    engine:
      - powershell
      - powershell.exe
    args:
      - -ExecutionPolicy
      - Bypass
    pattern: "*.ps1"
    source: |
      Get-Service -Name WinRM | Select-Object -ExpandProperty Status

    matchers:
      - type: word
        words:
          - "Running"
# digest: 4a0a0047304502203485c6c17e6ed0907bbecbc5051fc337ba8938d679cde6acc0d8f85dfeda909702210090b61d8ecd6e9586a647ecfe389bf4efe05d1b09085bd4ec85a9522093cace24:922c64590222798bb761d5b6d8e72950