id: winrm-allows-unencrypted-traffic

info:
  name: WinRM Allows Unencrypted Traffic
  author: princechaddha
  severity: high
  description: Verifies if Windows Remote Management (WinRM) is allowing unencrypted traffic, exposing sensitive data.
  impact: |
    Allowing unencrypted traffic in WinRM can expose sensitive information to attackers.
  remediation: |
    Configure WinRM to require encrypted traffic by setting `AllowUnencrypted` to `False`.
  tags: winrm,unencrypted,traffic,code,windows-audit

self-contained: true

code:
  - pre-condition: |
      IsWindows();
    engine:
      - powershell
      - powershell.exe
    args:
      - -ExecutionPolicy
      - Bypass
    pattern: "*.ps1"
    source: |
      (Get-Item WSMan:\localhost\Service).AllowUnencrypted

    matchers:
      - type: word
        words:
          - "True"
# digest: 4a0a00473045022100feb80bd5b415c4356da922755674bb947368f9fb4fde47193bf031f4a04ac85f0220424e360d75059ab517b3bee14a5b7105adf5e6a4c1d7c437134a9aff12414f56:922c64590222798bb761d5b6d8e72950