Potential Kerberos SPN Spoofing via Suspicious DNS Query

  1[metadata]
  2creation_date = "2025/06/14"
  3integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "crowdstrike"]
  4maturity = "production"
  5updated_date = "2025/06/14"
  6
  7[transform]
  8[[transform.investigate]]
  9label = "Show the related DNS events"
 10providers = [
 11  [
 12    { excluded = false, field = "dns.question.name", queryType = "phrase", value = "{{dns.question.name}}", valueType = "string" }
 13  ]
 14]
 15relativeFrom = "now-48h/h"
 16relativeTo = "now"
 17
 18[rule]
 19author = ["Elastic"]
 20description = """
 21Identifies queries to a DNS record containing a base64-encoded blob matching the pattern "UWhRCA...BAAAA". This pattern
 22corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure, commonly used in Kerberos coercion attacks. It is
 23associated with tools and techniques that exploit SPN spoofing via DNS. Adversaries may abuse this to coerce victim
 24systems into authenticating to attacker-controlled hosts while requesting Kerberos tickets for legitimate services
 25(often the victim's own identity), enabling attacks such as NTLM reflection.
 26"""
 27from = "now-9m"
 28index = [
 29    "endgame-*",
 30    "logs-crowdstrike.fdr*",
 31    "logs-endpoint.events.network-*",
 32    "logs-sentinel_one_cloud_funnel.*",
 33    "logs-windows.sysmon_operational-*",
 34]
 35language = "eql"
 36license = "Elastic License v2"
 37name = "Potential Kerberos SPN Spoofing via Suspicious DNS Query"
 38note = """## Triage and analysis
 39
 40### Investigating Potential Kerberos SPN Spoofing via Suspicious DNS Query
 41
 42> **Note**:
 43> This investigation guide uses the [Investigate Markdown Plugin](https://www.elastic.co/guide/en/security/current/interactive-investigation-guides.html) introduced in Elastic Stack version 8.8.0. Older Elastic Stack versions will display unrendered Markdown in this guide.
 44
 45### Possible investigation steps
 46
 47- Identify the system that issued the DNS query for the suspicious hostname. Determine whether it is a server or an end user device. This technique is typically only relevant against server systems, but queries originating from workstations may indicate compromise or misuse.
 48- Identify attacker-controlled system by getting the IP addresses (`dns.resolved_ip`) that this DNS query resolved to by looking for the related `lookup_result` events.
 49    - $investigate_0
 50- If this alert was triggered on a domain controller, escalate the investigation to involve the incident response team to determine the full scope of the breach as soon as possible.
 51
 52### False positive analysis
 53
 54- This activity is unlikely to happen legitimately.
 55
 56### Response and remediation
 57
 58- Review and remove malicious DNS records containing the embedded CREDENTIAL_TARGET_INFORMATION Base64 payload (UWhRCA...BAAAA). Ensure that no additional coercion records exist in the same DNS zone.
 59- Isolate involved systems if signs of compromise or lateral movement are detected, especially if the record was successfully resolved and used for coercion.
 60- Monitor network traffic for signs of Man-in-the-Middle activity, focusing on unusual DNS queries or redirections.
 61- Escalate the incident to the security operations center (SOC) for further investigation and to assess the potential impact on other systems.
 62- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.
 63- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
 64- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
 65"""
 66references = [
 67    "https://www.synacktiv.com/publications/ntlm-reflection-is-dead-long-live-ntlm-reflection-an-in-depth-analysis-of-cve-2025",
 68    "https://blog.redteam-pentesting.de/2025/reflective-kerberos-relay-attack/",
 69    "https://googleprojectzero.blogspot.com/2021/10/using-kerberos-for-authentication-relay.html",
 70    "https://github.com/CICADA8-Research/RemoteKrbRelay/blob/main/README.md",
 71    "https://github.com/Orange-Cyberdefense/ocd-mindmaps/blob/main/excalimap/mindmap/ad/authenticated.md",
 72]
 73risk_score = 73
 74rule_id = "99ac5005-8a9e-4625-a0af-5f7bb447204b"
 75severity = "high"
 76tags = [
 77    "Domain: Endpoint",
 78    "OS: Windows",
 79    "Use Case: Threat Detection",
 80    "Tactic: Credential Access",
 81    "Data Source: Elastic Defend",
 82    "Data Source: Elastic Endgame",
 83    "Data Source: Crowdstrike",
 84    "Data Source: SentinelOne",
 85    "Data Source: Sysmon",
 86    "Resources: Investigation Guide",
 87]
 88timestamp_override = "event.ingested"
 89type = "eql"
 90
 91query = '''
 92network where host.os.type == "windows" and dns.question.name : "*UWhRC*BAAAA*"
 93'''
 94
 95
 96[[rule.threat]]
 97framework = "MITRE ATT&CK"
 98[[rule.threat.technique]]
 99id = "T1557"
100name = "Adversary-in-the-Middle"
101reference = "https://attack.mitre.org/techniques/T1557/"
102[[rule.threat.technique.subtechnique]]
103id = "T1557.001"
104name = "LLMNR/NBT-NS Poisoning and SMB Relay"
105reference = "https://attack.mitre.org/techniques/T1557/001/"
106
107
108[[rule.threat.technique]]
109id = "T1187"
110name = "Forced Authentication"
111reference = "https://attack.mitre.org/techniques/T1187/"
112
113
114[rule.threat.tactic]
115id = "TA0006"
116name = "Credential Access"
117reference = "https://attack.mitre.org/tactics/TA0006/"