EventLog-in Propagating With Weak Credentials Using the Even...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://www.safebreach.com/blog/safebreach_labs_discovers_cve-2025-29969/
• Blog Title: EventLog-in: Propagating With Weak Credentials Using the Eventlog Service in Microsoft Windows (CVE-2025-29969)
• Suggested Section: Windows Hardening -> Windows Local Privilege Escalation (or a new Windows Lateral Movement/RPC techniques page) / Network Services Pentesting -> MSRPC (135/593) with a subsection on MS-EVEN/EventLog RPC abuse (CVE-2025-29969), NTSTATUS oracles, and TOCTOU via SMB-hosted content

🎯 Content Summary

Post: “EventLog-in: Propagating With Weak Credentials Using the Eventlog Service in Microsoft Windows (CVE-2025-29969)” (published Feb 19, 2026).

Vulnerability / Impact
SafeBreach Labs describes CVE-2025-29969, a vulnerability in Microsoft Windows’ MS-EVEN (EventLog) RPC protocol exposed by the EventLog service (enabled by default) on Windows 11 and Windows Server 2025. Using low-privileged authenticated credentials, an attacke...

🔧 Technical Details

RPC service selection for remote exploitation: use RPCView to enumerate RPC servers/endpoints and prefer PIPE/TCP-exported endpoints; ensure the target interface is not marked RPC_IF_ALLOW_LOCAL_ONLY; test that you can pass the interface security callback and any per-function checks by binding/calling with a client like Impacket. A common pitfall is binding with the wrong RPC authentication level, which can yield “access denied” from the security callback even with correct credentials.

NTSTATUS-based remote filesystem probing (“hidden CreateFile”): if an RPC method causes a privileged service to attempt CreateFile on a caller-supplied path, distinct NTSTATUS returns can act as a file/directory existence oracle (e.g., STATUS_OBJECT_NAME_NOT_FOUND (0xc0000034) vs STATUS_FILE_IS_A_DIRECTORY (0xc00000ba) vs STATUS_EVENTLOG_FILE_CORRUPT (0xc000018e)). This enables recon such as enumerating installed software by probin...

🤖 Agent Actions

Summary:

• Added a concise MS-EVEN EventLog RPC abuse section (NTSTATUS oracle, backup-based write, TOCTOU) to src/network-services-pentesting/135-pentesting-msrpc.md and linked references to the SafeBreach blog, PoC, and MSRC.

Tests: Not run (docs-only change).

File changed:

• src/network-services-pentesting/135-pentesting-msrpc.md

If you want, I can also add a short cross-link from the MS-EVEN coercion section to this new abuse subsection.

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://www.safebreach.com/blog/safebreach_labs_discovers_cve-2025-29969/

Content Categories: Based on the analysis, this content was categorized under "Windows Hardening -> Windows Local Privilege Escalation (or a new Windows Lateral Movement/RPC techniques page) / Network Services Pentesting -> MSRPC (135/593) with a subsection on MS-EVEN/EventLog RPC abuse (CVE-2025-29969), NTSTATUS oracles, and TOCTOU via SMB-hosted content".

Repository Maintenance:

• MD Files Formatting: 954 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0