Suspicious DNS Query Indicating Kerberos Coercion via DNS Object SPN Spoofing

 1title: Suspicious DNS Query Indicating Kerberos Coercion via DNS Object SPN Spoofing
 2id: e7a21b5f-d8c4-4ae5-b8d9-93c5d3f28e1c
 3related:
 4    - id: b07e58cf-cacc-4135-8473-ccb2eba63dd2 # Potential Kerberos Coercion via DNS Object Spoofing
 5      type: similar
 6    - id: 5588576c-5898-4fac-bcdd-7475a60e8f43 # Suspicious DNS Query Indicating Kerberos Coercion via DNS Object Spoofing - Network
 7      type: similar
 8status: experimental
 9description: |
10    Detects DNS queries containing patterns associated with Kerberos coercion attacks via DNS object spoofing.
11    The pattern "1UWhRCAAAAA..BAAAA" is a base64-encoded signature that corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure.
12    Attackers can use this technique to coerce authentication from victim systems to attacker-controlled hosts.
13    It is one of the strong indicators of a Kerberos coercion attack, where adversaries manipulate DNS records
14    to spoof Service Principal Names (SPNs) and redirect authentication requests like CVE-2025-33073.    
15references:
16    - https://www.synacktiv.com/publications/ntlm-reflection-is-dead-long-live-ntlm-reflection-an-in-depth-analysis-of-cve-2025
17    - https://googleprojectzero.blogspot.com/2021/10/using-kerberos-for-authentication-relay.html
18author: Swachchhanda Shrawan Poudel (Nextron Systems)
19date: 2025-06-20
20tags:
21    - attack.credential-access
22    - attack.persistence
23    - attack.privilege-escalation
24    - attack.t1557.001
25    - attack.t1187
26logsource:
27    product: windows
28    category: dns_query
29detection:
30    selection:
31        QueryName|contains|all:
32            - 'UWhRCA'
33            - 'BAAAA'
34    condition: selection
35falsepositives:
36    - Unknown
37level: high