id: winrm-detect

info:
  name: Windows Remote Management - Detection
  author: pussycat0x
  severity: info
  description: |
    Detects Windows Remote Management (WinRM) by checking HTTP response headers on ports 5985 (HTTP) and 5986 (HTTPS).
  metadata:
    max-request: 1
    verified: true
    shodan-query: product:"WinRM"
  tags: network,winrm,windows

http:
  - method: POST
    path:
      - "{{BaseURL}}/wsman"

    matchers-condition: and
    matchers:
      - type: status
        status:
          - 401

      - type: regex
        part: header
        regex:
          - 'Microsoft-HTTPAPI\/[0-9\.]+'

      - type: word
        part: header
        words:
          - "Www-Authenticate: NTLM"
          - "Www-Authenticate: Negotiate"
        condition: or
# digest: 4b0a00483046022100eac570d9b3075a685e3272c7187bbf9188fc78918a3c90940596b831b97594700221009718b3f625d4c366cc2d750b15f8065f71533c23e8c5ea508dace8ecbe9584bb:922c64590222798bb761d5b6d8e72950