Suspicious DNS Query Indicating Kerberos Coercion via DNS Object SPN Spoofing - Network

 1title: Suspicious DNS Query Indicating Kerberos Coercion via DNS Object SPN Spoofing - Network
 2id: 5588576c-5898-4fac-bcdd-7475a60e8f43
 3related:
 4    - id: b07e58cf-cacc-4135-8473-ccb2eba63dd2 # Potential Kerberos Coercion via DNS Object Spoofing
 5      type: similar
 6    - id: e7a21b5f-d8c4-4ae5-b8d9-93c5d3f28e1c # Suspicious DNS Query Indicating Kerberos Coercion via DNS Object Spoofing
 7      type: similar
 8status: experimental
 9description: |
10    Detects DNS queries containing patterns associated with Kerberos coercion attacks via DNS object spoofing.
11    The pattern "1UWhRCAAAAA..BAAAA" is a base64-encoded signature that corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure.
12    Attackers can use this technique to coerce authentication from victim systems to attacker-controlled hosts.
13    It is one of the strong indicators of a Kerberos coercion attack, where adversaries manipulate DNS records
14    to spoof Service Principal Names (SPNs) and redirect authentication requests like CVE-2025-33073.    
15references:
16    - https://www.synacktiv.com/publications/ntlm-reflection-is-dead-long-live-ntlm-reflection-an-in-depth-analysis-of-cve-2025
17    - https://googleprojectzero.blogspot.com/2021/10/using-kerberos-for-authentication-relay.html
18author: Swachchhanda Shrawan Poudel (Nextron Systems)
19date: 2025-06-20
20tags:
21    - attack.collection
22    - attack.credential-access
23    - attack.persistence
24    - attack.privilege-escalation
25    - attack.t1557.001
26    - attack.t1187
27logsource:
28    product: zeek
29    service: dns
30detection:
31    selection:
32        query|contains|all:
33            - 'UWhRCA' # Follows this pattern UWhRCAAAAA..BAAA
34            - 'BAAAA'
35    condition: selection
36falsepositives:
37    - Unknown
38level: high