Potential Kerberos Coercion by Spoofing SPNs via DNS Manipulation

 1title: Potential Kerberos Coercion by Spoofing SPNs via DNS Manipulation
 2id: b07e58cf-cacc-4135-8473-ccb2eba63dd2
 3related:
 4    - id: e7a21b5f-d8c4-4ae5-b8d9-93c5d3f28e1c # Suspicious DNS Query Indicating Kerberos Coercion via DNS Object Spoofing
 5      type: similar
 6    - id: 5588576c-5898-4fac-bcdd-7475a60e8f43 # Suspicious DNS Query Indicating Kerberos Coercion via DNS Object Spoofing - Network
 7      type: similar
 8    - id: 0ed99dda-6a35-11ef-8c99-0242ac120002 # Kerberos Coercion Via DNS SPN Spoofing Attempt
 9      type: similar
10status: experimental
11description: |
12    Detects modifications to DNS records in Active Directory where the Distinguished Name (DN) contains a base64-encoded blob
13    matching the pattern "1UWhRCAAAAA...BAAAA". This pattern corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure,
14    commonly used in Kerberos coercion attacks. Adversaries may exploit this to coerce victim systems into authenticating to
15    attacker-controlled hosts by spoofing SPNs via DNS. It is one of the strong indicators of a Kerberos coercion attack,.
16    where adversaries manipulate DNS records to spoof Service Principal Names (SPNs) and redirect authentication requests like CVE-2025-33073.
17    Please investigate the user account that made the changes, as it is likely a low-privileged account that has been compromised.    
18references:
19    - https://googleprojectzero.blogspot.com/2021/10/using-kerberos-for-authentication-relay.html
20    - https://www.synacktiv.com/publications/ntlm-reflection-is-dead-long-live-ntlm-reflection-an-in-depth-analysis-of-cve-2025
21author: Swachchhanda Shrawan Poudel (Nextron Systems)
22date: 2025-06-20
23tags:
24    - attack.credential-access
25    - attack.t1557.003
26    - attack.persistence
27    - attack.privilege-escalation
28logsource:
29    product: windows
30    service: security
31    definition: |
32      By default these events are not logged by default for MicrosoftDNS objects in Active Directory.
33      To enable detection, configure an AuditRule on the DNS object container with the "CreateChild" permission for the "Everyone" principal.
34      This can be accomplished using tools such as Set-AuditRule (see https://github.com/OTRF/Set-AuditRule).      
35detection:
36    selection_directory_service_changes:
37        EventID:
38            - 5136
39            - 5137
40        ObjectClass: 'dnsNode'
41        ObjectDN|contains|all: # ObjectDN">DC=foo-11UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA,DC=domain.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=com</Data>
42            - 'UWhRCA'
43            - 'BAAAA'
44            - 'CN=MicrosoftDNS'
45    selection_directory_service_access:
46        EventID: 4662
47        AdditionalInfo|contains|all: # AdditionalInfo">DC=foo-11UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA,DC=domain.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=com</Data>
48            - 'UWhRCA'
49            - 'BAAAA'
50            - 'CN=MicrosoftDNS'
51    condition: 1 of selection_*
52fields:
53    - SubjectUserName # It is important to check the AccountName field to identify the user, it is likely an low-privileged account that has been compromised.
54falsepositives:
55    - Unknown
56level: high