Understanding PowerShell Remoting via HTTPS

Welcome Forums General PowerShell Q&A Understanding PowerShell Remoting via HTTPS

This topic contains 3 replies, has 2 voices, and was last updated by

 
Participant
10 months, 1 week ago.

  • Author
    Posts
  • #91202

    Participant
    Points: 18
    Rank: Member

    I am currently trying to further understand the implications of creating a WinRM listener on port 5986 for encrypted communication via SSL. I would like to have remoting enabled in our environment. However, current malware trends are using 5985/5986 to move laterally. Can anyone explain if this is an issue with PowerShell remoting and if there is anyway to prevent that without blocking outgoing ports via firewall? CredSSP will remain disabled, so I'm not sure how it would move laterally since there is only one hop. Thoughts/suggestions?

  • #91232

    Keymaster
    Points: 1,638
    Helping HandTeam Member
    Rank: Community Hero

    Remoting isn't really a lateral move option. The malware would need to infect the WS-MAN code somehow, and if that happens it won't matter what port it uses.

    But if it's a concern, just use different ports. You can set up the listener wherever you want, and you can make that the default outbound port on your originating computers.

  • #91240

    Participant
    Points: 18
    Rank: Member

    Thanks. I tried setting up a listener on a random port (2352) and when I try to initiate it from the admin workstation while specifying the port in the command, it just hangs (works fine with 5986). What do you mean by "make that the default outbound port on your originating computers"? Are you just talking about the firewall?

  • #91243

    Participant
    Points: 18
    Rank: Member

    Actually – just re-tested. Looks like I have to specify the port AND the UseSSL command, which is good for security (can't use just port and can't use just UseSSL).

The topic ‘Understanding PowerShell Remoting via HTTPS’ is closed to new replies.