Is there a "least priviledge" way for winRM probing?

Comments

1 comment

  • Justin Opatrny

    We were wondering the same thing, and through a lot of testing (did not fix things), and finally interaction with our Microsoft TAM, there is dependency on accessing the Windows Update Agent API remotely through WinRM, you must have administrative permissions.
    (https://learn.microsoft.com/en-us/windows/win32/wua_sdk/using-wua-from-a-remote-computer)

    Without direct PAM integration (I still need to write the feature request), we are investigating multiple mechanisms including separate dedicated-purpose accounts, using PAM for automated password rotation with scripted updates to OTbase (on an increased frequency), and implementing detections for these WinRM probe accounts looking for logins of these IDs outside of normal probing hours and/or on non-target servers.

    1
    Comment actions Permalink

Please sign in to leave a comment.