MS-EVEN abuse (CheeseOunce)
Theory
MS-EVEN is Microsoft's EventLog Remoting Protocol. It provides an RPC interface for reading events in both live and backup event logs on remote computers. That interface is available through \PIPE\eventlog
SMB named pipe.
We can abuse this protocol to coerce authentications. Similarly to other MS-RPC abuses, this works by using a specific method relying on remote address. In this case, the ElfrOpenBELW
method was detected vulnerable.
Practice
CheeseOunce
The following Python proof-of-concept (https://github.com/evilashz/CheeseOunce) implements the ElfrOpenBELW
method.
Coercer
Another alternative is to use the Coercer tool (python) as follow.
Resources
Last updated