id: winrm-basic-auth-enabled

info:
  name: WinRM Basic Authentication Enabled
  author: princechaddha
  severity: high
  description: Verifies if Windows Remote Management (WinRM) allows basic (unencrypted) authentication.
  impact: |
    Basic authentication can expose credentials in plaintext, allowing attackers to intercept and exploit sensitive information.
  remediation: |
    Disable Basic authentication and configure secure authentication mechanisms like Kerberos or certificate-based authentication.
  tags: windows,winrm,code,windows-audit

self-contained: true

code:
  - pre-condition: |
      IsWindows();
    engine:
      - powershell
      - powershell.exe
    args:
      - -ExecutionPolicy
      - Bypass
    pattern: "*.ps1"
    source: |
      (Get-Item WSMan:\localhost\Service\Auth).Basic

    matchers:
      - type: word
        words:
          - "True"
# digest: 4a0a00473045022100d283f635a02ec0843dd7a3a8a0604802fcdf600c1d285d876a626967987c173102205b3b87d7af3803469f4f149e2964325188c6ece725d707784eea3b6cc0780ac9:922c64590222798bb761d5b6d8e72950