Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhighexperimental

Suspicious DNS Query Indicating Kerberos Coercion via DNS Object SPN Spoofing - Network

Detects DNS queries containing patterns associated with Kerberos coercion attacks via DNS object spoofing. The pattern "1UWhRCAAAAA..BAAAA" is a base64-encoded signature that corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure. Attackers can use this technique to coerce authentication from victim systems to attacker-controlled hosts. It is one of the strong indicators of a Kerberos coercion attack, where adversaries manipulate DNS records to spoof Service Principal Names (SPNs) and redirect authentication requests like CVE-2025-33073.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Swachchhanda Shrawan Poudel (Nextron Systems)Created Fri Jun 205588576c-5898-4fac-bcdd-7475a60e8f43network
Log Source
Zeek (Bro)dns
ProductZeek (Bro)← raw: zeek
Servicedns← raw: dns
Detection Logic
Detection Logic1 selector
detection:
    selection:
        query|contains|all:
            - 'UWhRCA' # Follows this pattern UWhRCAAAAA..BAAA
            - 'BAAAA'
    condition: selection
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
synacktiv.com
2
Resolving title…
googleprojectzero.blogspot.com
MITRE ATT&CK
Related Rules
SimilarDetectionhigh

Potential Kerberos Coercion by Spoofing SPNs via DNS Manipulation

Detects modifications to DNS records in Active Directory where the Distinguished Name (DN) contains a base64-encoded blob matching the pattern "1UWhRCAAAAA...BAAAA". This pattern corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure, commonly used in Kerberos coercion attacks. Adversaries may exploit this to coerce victim systems into authenticating to attacker-controlled hosts by spoofing SPNs via DNS. It is one of the strong indicators of a Kerberos coercion attack,. where adversaries manipulate DNS records to spoof Service Principal Names (SPNs) and redirect authentication requests like CVE-2025-33073. Please investigate the user account that made the changes, as it is likely a low-privileged account that has been compromised.

Detects similar activity. Both rules may fire on overlapping events.

SimilarDetectionhigh

Suspicious DNS Query Indicating Kerberos Coercion via DNS Object SPN Spoofing

Detects DNS queries containing patterns associated with Kerberos coercion attacks via DNS object spoofing. The pattern "1UWhRCAAAAA..BAAAA" is a base64-encoded signature that corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure. Attackers can use this technique to coerce authentication from victim systems to attacker-controlled hosts. It is one of the strong indicators of a Kerberos coercion attack, where adversaries manipulate DNS records to spoof Service Principal Names (SPNs) and redirect authentication requests like CVE-2025-33073.

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata
Rule ID
5588576c-5898-4fac-bcdd-7475a60e8f43
Status
experimental
Level
high
Type
Detection
Created
Fri Jun 20
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Path
rules/network/zeek/zeek_dns_kerberos_coercion_via_dns_object_spn_spoofing.yml
Raw Tags
attack.collectionattack.credential-accessattack.persistenceattack.privilege-escalationattack.t1557.001attack.t1187
View on GitHub