Suspicious DNS Query Indicating Kerberos Coercion via DNS Object SPN Spoofing

Rule Info

Name
Suspicious DNS Query Indicating Kerberos Coercion via DNS Object SPN Spoofing
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects DNS queries containing patterns associated with Kerberos coercion attacks via DNS object spoofing. The pattern "1UWhRCAAAAA..BAAAA" is a base64-encoded signature that corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure. Attackers can use this technique to coerce authentication from victim systems to attacker-controlled hosts. It is one of the strong indicators of a Kerberos coercion attack, where adversaries manipulate DNS records to spoof Service Principal Names (SPNs) and redirect authentication requests like CVE-2025-33073.
Reference
https://www.synacktiv.com/publications/ntlm-reflection-is-dead-long-live-ntlm-reflection-an-in-depth-analysis-of-cve-2025
Date
2025-06-20 00:00:00
Modified
None
Id
e7a21b5f-d8c4-4ae5-b8d9-93c5d3f28e1c
Tags
attack.credential-access attack.persistence attack.privilege-escalation attack.t1557.001 attack.t1187
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=e7a21b5f-d8c4-4ae5-b8d9-93c5d3f28e1c

Rule History

Author
Title
Date
Commit
Swachchhanda Shrawan Poudel
Merge PR #5492 from @swachchhanda000 - Kerberos Coercion Via DNS SPN Spoofing
2025-07-08
a55bc212a
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022