Sign In
- Platform
- Solutions
- Modern NDR
- Resources
- Company
Platform
Modern NDR
Resources
Platform
Modern NDR
Resources
DETECTION OVERVIEW
Risk Factors
PowerShell Remoting is normally only available to local administrators, however if an attacker gains remote access to a server, the amount of potential damage depends on the privileges available on the compromised server.
The system might change the risk score for this detection.
Kill Chain
Risk Score
56
PowerShell is a built-in Windows command line shell and scripting language that is enabled by default on most enterprise machines. An attacker who gains remote access to PowerShell on a single computer on your network can run malicious code without installing any files. Note that WSMAN protocol activity is typically associated with PowerShell Remoting.
Disable PowerShell Remoting on devices where remote access is unnecessary
Complete all remote administration tasks from a dedicated management host
Create a group policy object (GPO) to only allow remote administration from trusted groups
Disable NTLM authentication, which is less secure than Kerberos
Disable HTTP handler and route traffic securely through HTTPS
