Skip to content


Microsoft Windows Machine Account NTLM Coercion via EventLog Remoting Protocol Manipulation

Base Score 5.3


Microsoft's EventLog Remoting Protocol [MS-EVEN] provides a Remote Procedure Call (RPC) interface for reading events in both live and backup event logs on remote computers. An attacker controlling a domain user/computer can, with a specific Remote Procedure Call (RPC), manipulate one of the vulnerable methods to make it authenticate to a target of the attacker's choosing. This flaw has not been addressed by Microsoft.


An attacker with unauthorized access to the network can use this vulnerability to coerce a Domain Controller to authenticate to another server using NTLM, allowing for hash capturing and NTLM relay to a vulnerable endpoint. Historically, this vulnerability has been paired with a vulnerable Active Domain Certificate Services web interface to acquire persistent credentials for the Domain Controller Machine account -- leading to a full domain compromise.