I am currently trying to further understand the implications of creating a WinRM listener on port 5986 for encrypted communication via SSL. I would like to have remoting enabled in our environment. However, current malware trends are using 5985/5986 to move laterally. Can anyone explain if this is an issue with PowerShell remoting and if there is anyway to prevent that without blocking outgoing ports via firewall? CredSSP will remain disabled, so I'm not sure how it would move laterally since there is only one hop. Thoughts/suggestions?
Thanks. I tried setting up a listener on a random port (2352) and when I try to initiate it from the admin workstation while specifying the port in the command, it just hangs (works fine with 5986). What do you mean by "make that the default outbound port on your originating computers"? Are you just talking about the firewall?