Home
Join

11 Replies

  • Carl Holzhauer wrote:

    for security reasons

    Can you elaborate?

    We have it enabled, but we also log powershell and have anomaly detections (e.g. if an HR computer tries to run powershell, SOC redflag alert immediately, etc)

    We rather have it enabled and log / monitor it heavily than turning it off and having to work around stuff all the time.

    Spice (2) flagReport
    Was this post helpful? thumb_up thumb_down
  • Neally wrote:

    Carl Holzhauer wrote:

    for security reasons

    Can you elaborate?

    Not real well.  Without getting into too much that I'd prefer not to share with a 'named' account, that's just what I was told in the past.  I'd like to think it's because it opens up another avenue of attack for a bad actor...with only RDP open, for example, they're going to have a much harder time attacking a workstation than they would if they had PS Remoting open to them and could blast out "whatever" to hundreds of workstations at once.

    How are you logging and alerting on with? With a SIEM?

    Was this post helpful? thumb_up thumb_down
  • Neally wrote:

    Carl Holzhauer wrote:

    for security reasons

    Can you elaborate?

    We have it enabled, but we also log powershell and have anomaly detections (e.g. if an HR computer tries to run powershell, SOC redflag alert immediately, etc)

    We rather have it enabled and log / monitor it heavily than turning it off and having to work around stuff all the time.

    We do the same. It has been evaluated twice in the last three years as to benefits/risks. I was not involved in the process, so I don't have the arguments used in the evaluations unfortunately.

    Was this post helpful? thumb_up thumb_down
  • Carl Holzhauer wrote:

    Neally wrote:

    Carl Holzhauer wrote:

    for security reasons

    Can you elaborate?

    Not real well.  Without getting into too much that I'd prefer not to share with a 'named' account, that's just what I was told in the past.  I'd like to think it's because it opens up another avenue of attack for a bad actor...with only RDP open, for example, they're going to have a much harder time attacking a workstation than they would if they had PS Remoting open to them and could blast out "whatever" to hundreds of workstations at once.

    How are you logging and alerting on with? With a SIEM?

    In our case, all logs end up in Splunk for alerting. 

    Spice (2) flagReport
    Was this post helpful? thumb_up thumb_down
  • Carl Holzhauer wrote:

    How are you logging and alerting on with? With a SIEM?

    Yes. Feed it all into a SIEM.

    Have a read here:

    https://adsecurity.org/?p=2921

    https://devblogs.microsoft.com/powershell/defending-against-powershell-attacks/

    Taking advantage of logging and monitoring and knowing what's going on is better than trying to block things.

    https://www.zdnet.com/article/nsa-cisa-say-dont-block-powershell-heres-what-to-do-instead/

    PowerShell is used for POST exploitation, attackers using PowerShell are already in the network if they can use powershell, so really you should worry more about that. And then as said, log the heck out of it.

    Was this post helpful? thumb_up thumb_down
  • Neally wrote:


    PowerShell is used for POST exploitation, attackers using PowerShell are already in the network if they can use powershell, so really you should worry more about that. And then as said, log the heck out of it.

    That is a good point that I never considered.  Although, we didn't use to have the the Windows Firewall on and this would have probably contributed to exploitation.  Thanks for the links, I'll check them out.

    Was this post helpful? thumb_up thumb_down
  • Security considerations for PowerShell Remoting using WinRM - PowerShell | Microsoft Docs

    I asked this question myself not long ago. I opted for enabling it on all my endpoints. Benefits outweigh the risks imo.

    Was this post helpful? thumb_up thumb_down
  • Carl Holzhauer wrote:

    Neally wrote:

    Carl Holzhauer wrote:

    for security reasons

    Can you elaborate?

    Not real well.  Without getting into too much that I'd prefer not to share with a 'named' account, that's just what I was told in the past.  I'd like to think it's because it opens up another avenue of attack for a bad actor...with only RDP open, for example, they're going to have a much harder time attacking a workstation than they would if they had PS Remoting open to them and could blast out "whatever" to hundreds of workstations at once.

    How are you logging and alerting on with? With a SIEM?

    For your concern with an attacker using this against multiple machines, I recommend blocking all RFC 1918 traffic inbound/outbound between your workstations. This will help prevent lateral movement between workstations. I did this months ago and have not had any trouble. My workstations are not allowed to communicate to eachother at all.

    Was this post helpful? thumb_up thumb_down
  • JustinGSEIWI wrote:

    Carl Holzhauer wrote:

    Neally wrote:

    Carl Holzhauer wrote:

    for security reasons

    Can you elaborate?

    Not real well.  Without getting into too much that I'd prefer not to share with a 'named' account, that's just what I was told in the past.  I'd like to think it's because it opens up another avenue of attack for a bad actor...with only RDP open, for example, they're going to have a much harder time attacking a workstation than they would if they had PS Remoting open to them and could blast out "whatever" to hundreds of workstations at once.

    How are you logging and alerting on with? With a SIEM?

    For your concern with an attacker using this against multiple machines, I recommend blocking all RFC 1918 traffic inbound/outbound between your workstations. This will help prevent lateral movement between workstations. I did this months ago and have not had any trouble. My workstations are not allowed to communicate to eachother at all.

    If you block that traffic, how do you communicate with them?

    Was this post helpful? thumb_up thumb_down
  • Are you running the PS remote commands from a server? If that is the case, the servers are not blocked, just the workstations are blocked from communicating with eachother. So anything coming from the server would not be blocked. If you are doing this from a workstation, you could add an exception to the firewall rule for that workstation.

    Was this post helpful? thumb_up thumb_down
  • When I first started using powershell remoting for an in house tool for centralized semi-automated software deployments / removals I initially thought that the default settings on windows server / 10 needed to be changed but turns out it is encrypted by default and couldn't find any real evidence of it being a security vulnerability. We use this mostly for servers because most of our endpoints are remote and managed by Kaseya. 

    Was this post helpful? thumb_up thumb_down

Read these next...