Hidden Gems in McAfee ePO Audit Logs

There is no shortage of organizations these days running McAfee’s ePolicy Orchestrator in an effort to combat maliciousness. Much like any endpoint security platform, it has its strengths and weaknesses. One of the great features of the application is that it contains an audit log containing authentication information to include any supplied usernames, as shown below.

As weird as it may seem, sometimes people will type in their username AND their password on the same line and submit them for authentication, not realizing the mistake. Well, McAfee ePO logs that information as is. In the example below, the password is likely ‘PA$$word1337’.

This happens more often than what you may think and users with the applicable permissions can see this information in the audit logs. From a blue team perspective, being cognizant of the likelihood of this artifact is vital. As a red team member, this is easy pickings. Not only will it likely get you into the application with the user’s information in the logs but that user could also have more rights than the user you may be currently using. Also, whatever the password is for the user whose information is in the log, it is also likely to be that user’s password to their local or domain account or possibly to other applications in the network.