Suspicious DNS Query Indicating Kerberos Coercion via DNS Object SPN Spoofing - Network

Rule Info

Name
Suspicious DNS Query Indicating Kerberos Coercion via DNS Object SPN Spoofing - Network
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects DNS queries containing patterns associated with Kerberos coercion attacks via DNS object spoofing. The pattern "1UWhRCAAAAA..BAAAA" is a base64-encoded signature that corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure. Attackers can use this technique to coerce authentication from victim systems to attacker-controlled hosts. It is one of the strong indicators of a Kerberos coercion attack, where adversaries manipulate DNS records to spoof Service Principal Names (SPNs) and redirect authentication requests like CVE-2025-33073.
Reference
https://www.synacktiv.com/publications/ntlm-reflection-is-dead-long-live-ntlm-reflection-an-in-depth-analysis-of-cve-2025
Date
2025-06-20 00:00:00
Modified
None
Id
5588576c-5898-4fac-bcdd-7475a60e8f43
Tags
attack.collection attack.credential-access attack.persistence attack.privilege-escalation attack.t1557.001 attack.t1187
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=5588576c-5898-4fac-bcdd-7475a60e8f43

Rule History

Author
Title
Date
Commit
phantinuss
chore: ci: bump validator version (#5722)
2025-10-23
c8075cab6
Swachchhanda Shrawan Poudel
Merge PR #5492 from @swachchhanda000 - Kerberos Coercion Via DNS SPN Spoofing
2025-07-08
a55bc212a
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022