id: smb-allow-unencrypted-passwords

info:
  name: Unencrypted Passwords to SMB Servers Allowed
  author: princechaddha
  severity: high
  description: Verifies if the system allows sending unencrypted passwords to third-party SMB servers, which is a security risk.
  impact: |
    Sending unencrypted passwords over the network can lead to credential theft by attackers.
  remediation: |
    Configure SMB to prevent sending unencrypted passwords.
  tags: smb,password,unencrypted,code,windows-audit

self-contained: true

code:
  - pre-condition: |
      IsWindows();
    engine:
      - powershell
      - powershell.exe
    args:
      - -ExecutionPolicy
      - Bypass
    pattern: "*.ps1"
    source: |
      Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters' -Name 'EnablePlainTextPassword'

    matchers:
      - type: word
        words:
          - "EnablePlainTextPassword : 1"
# digest: 4a0a00473045022100fe751ada2e3137106aa9c43e14361e5f8a64ce7a14c68254aae3f27b340f5d42022021708df9f8489ad6e468e9e55596a6c3ad82051413eaa3bd87576c6c19139d30:922c64590222798bb761d5b6d8e72950