Detectionhighexperimental

Attempts of Kerberos Coercion Via DNS SPN Spoofing

Detects the presence of "UWhRC....AAYBAAAA" pattern in command line. The pattern "1UWhRCAAAAA..BAAAA" is a base64-encoded signature that corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure. Attackers can use this technique to coerce authentication from victim systems to attacker-controlled hosts. It is one of the strong indicators of a Kerberos coercion attack, where adversaries manipulate DNS records to spoof Service Principal Names (SPNs) and redirect authentication requests like in CVE-2025-33073. If you see this pattern in the command line, it is likely an attempt to add spoofed Service Principal Names (SPNs) to DNS records, or checking for the presence of such records through the `nslookup` command.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Swachchhanda Shrawan Poudel (Nextron Systems)Created Fri Jun 200ed99dda-6a35-11ef-8c99-0242ac120002windows

Log Source

WindowsProcess Creation

ProductWindows← raw: windows

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection:
        CommandLine|contains|all:
            - 'UWhRCA'
            - 'BAAAA'
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

Resolving title…

synacktiv.com

Resolving title…

googleprojectzero.blogspot.com

MITRE ATT&CK

Tactics

TA0009 · Collection TA0006 · Credential Access TA0003 · Persistence TA0004 · Privilege Escalation

Techniques

T1187 · Forced Authentication

Sub-techniques

T1557.001 · LLMNR/NBT-NS Poisoning and SMB Relay

Related Rules

SimilarDetectionhigh

Potential Kerberos Coercion by Spoofing SPNs via DNS Manipulation

Detects modifications to DNS records in Active Directory where the Distinguished Name (DN) contains a base64-encoded blob matching the pattern "1UWhRCAAAAA...BAAAA". This pattern corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure, commonly used in Kerberos coercion attacks. Adversaries may exploit this to coerce victim systems into authenticating to attacker-controlled hosts by spoofing SPNs via DNS. It is one of the strong indicators of a Kerberos coercion attack,. where adversaries manipulate DNS records to spoof Service Principal Names (SPNs) and redirect authentication requests like CVE-2025-33073. Please investigate the user account that made the changes, as it is likely a low-privileged account that has been compromised.

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata

Rule ID

0ed99dda-6a35-11ef-8c99-0242ac120002

Status

experimental

Level

high

Type

Detection

Created

Fri Jun 20

Author

Swachchhanda Shrawan Poudel (Nextron Systems)

Path

rules/windows/process_creation/proc_creation_win_kerberos_coercion_via_dns_spn_spoofing.yml

Raw Tags

attack.collectionattack.credential-accessattack.persistenceattack.privilege-escalationattack.t1557.001attack.t1187

View on GitHub