Theory

is Microsoft's EventLog Remoting Protocol. It provides an RPC interface for reading events in both live and backup event logs on remote computers. That interface is available through \PIPE\eventlog SMB named pipe.

We can abuse this protocol to coerce authentications. Similarly to other MS-RPC abuses, this works by using a specific method relying on remote address. In this case, the ElfrOpenBELW method was detected vulnerable.

Practice

Resources