Is TLS more secure? The WinRMS case.

This research demonstrates a PoC NTLM relay to WinRM over HTTPS (WinRMS) that can lead to remote code execution in environments allowing NTLMv1 or with Channel Binding misconfigured; the post covers WinRM protocol details, an NTLMRelayX module, real-world caveats, and mitigation (enable CbtHardeningLevel="Strict").