H3-2023-0015

Authenticated Microsoft Windows Machine Account NTLM Coercion via EventLog Remoting Protocol Manipulation

Category	SECURITY_MISCONFIGURATION
Base Score	5.3

Description

Microsoft's EventLog Remoting Protocol [MS-EVEN] provides a Remote Procedure Call (RPC) interface for reading events in both live and backup event logs on remote computers. An attacker controlling a domain user/computer can, with a specific Remote Procedure Call (RPC), manipulate one of the vulnerable methods to make it authenticate to a target of the attacker's choosing. This flaw has not been addressed by Microsoft.

Impact

An authenticated attacker with access to low privileged user credentials can use this vulnerability to coerce a Domain Controller to authenticate to another server using NTLM, allowing for hash capturing and NTLM relay to a vulnerable endpoint. Historically, this vulnerability has been paired with a vulnerable Active Domain Certificate Services web interface to acquire persistent credentials for the Domain Controller Machine account -- leading to a full domain compromise.

References

• [MS-EVEN]: EventLog Remoting Protocol
• KB5005413: Mitigating NTLM Relay Attacks on Active Directory Certificate Services (AD CS)