Author Posts

January 10, 2018 at 5:59 pm

I am currently trying to further understand the implications of creating a WinRM listener on port 5986 for encrypted communication via SSL. I would like to have remoting enabled in our environment. However, current malware trends are using 5985/5986 to move laterally. Can anyone explain if this is an issue with PowerShell remoting and if there is anyway to prevent that without blocking outgoing ports via firewall? CredSSP will remain disabled, so I'm not sure how it would move laterally since there is only one hop. Thoughts/suggestions?

January 11, 2018 at 2:16 pm

Remoting isn't really a lateral move option. The malware would need to infect the WS-MAN code somehow, and if that happens it won't matter what port it uses.

But if it's a concern, just use different ports. You can set up the listener wherever you want, and you can make that the default outbound port on your originating computers.

January 11, 2018 at 2:41 pm

Thanks. I tried setting up a listener on a random port (2352) and when I try to initiate it from the admin workstation while specifying the port in the command, it just hangs (works fine with 5986). What do you mean by "make that the default outbound port on your originating computers"? Are you just talking about the firewall?

January 11, 2018 at 2:44 pm

Actually – just re-tested. Looks like I have to specify the port AND the UseSSL command, which is good for security (can't use just port and can't use just UseSSL).