id: winrm-remote-shell-access-allowed

info:
  name: Remote Shell Access Allowed
  author: princechaddha
  severity: high
  description: Checks if remote shell access via WinRM is allowed, which can be exploited.
  impact: |
    Remote shell access could allow unauthorized access to critical system components.
  remediation: |
    Disable remote shell access in WinRM.
  tags: winrm,remote-shell,code,windows-audit

self-contained: true

code:
  - pre-condition: |
      IsWindows();
    engine:
      - powershell
      - powershell.exe
    args:
      - -ExecutionPolicy
      - Bypass
    pattern: "*.ps1"
    source: |
      (Get-Item WSMan:\localhost\Shell).AllowRemoteShellAccess

    matchers:
      - type: word
        words:
          - "True"
# digest: 4a0a00473045022100cb8c2397af57a78add94b8be79fd44450acb658ac755ea63dbc4b705a098f8d90220467aa5193885ff95a20ffb87f6944b404071159462e60e8d67d939c6243103e9:922c64590222798bb761d5b6d8e72950