← @kwm Twitter archive



Looking at network-based detection of PowerShell remoting. Default ports are 5985 and 5986, but this can be changed via WinRM, Group Policy, or PowerShell (and surely other methods, too).

If you're not looking at Event Logs and/or process bindings for network connections . . .

3/9/2018, 4:38:14 PM

Favs: 11

Retweets: 3