Understanding PowerShell Remoting via HTTPS

This topic contains 3 replies, has 2 voices, and was last updated by  Jeff 4 months, 1 week ago.

  • Author
    Posts
  • #91202

    Jeff
    Participant

    I am currently trying to further understand the implications of creating a WinRM listener on port 5986 for encrypted communication via SSL. I would like to have remoting enabled in our environment. However, current malware trends are using 5985/5986 to move laterally. Can anyone explain if this is an issue with PowerShell remoting and if there is anyway to prevent that without blocking outgoing ports via firewall? CredSSP will remain disabled, so I'm not sure how it would move laterally since there is only one hop. Thoughts/suggestions?

  • #91232

    Don Jones
    Keymaster

    Remoting isn't really a lateral move option. The malware would need to infect the WS-MAN code somehow, and if that happens it won't matter what port it uses.

    But if it's a concern, just use different ports. You can set up the listener wherever you want, and you can make that the default outbound port on your originating computers.

  • #91240

    Jeff
    Participant

    Thanks. I tried setting up a listener on a random port (2352) and when I try to initiate it from the admin workstation while specifying the port in the command, it just hangs (works fine with 5986). What do you mean by "make that the default outbound port on your originating computers"? Are you just talking about the firewall?

  • #91243

    Jeff
    Participant

    Actually – just re-tested. Looks like I have to specify the port AND the UseSSL command, which is good for security (can't use just port and can't use just UseSSL).

You must be logged in to reply to this topic.