Is there a "least priviledge" way for winRM probing?
Dear OT-Base Community,
-
We were wondering the same thing, and through a lot of testing (did not fix things), and finally interaction with our Microsoft TAM, there is dependency on accessing the Windows Update Agent API remotely through WinRM, you must have administrative permissions.
(https://learn.microsoft.com/en-us/windows/win32/wua_sdk/using-wua-from-a-remote-computer)Without direct PAM integration (I still need to write the feature request), we are investigating multiple mechanisms including separate dedicated-purpose accounts, using PAM for automated password rotation with scripted updates to OTbase (on an increased frequency), and implementing detections for these WinRM probe accounts looking for logins of these IDs outside of normal probing hours and/or on non-target servers.
Please sign in to leave a comment.
Comments
1 comment