Attempts of Kerberos Coercion Via DNS SPN Spoofing

 1title: Attempts of Kerberos Coercion Via DNS SPN Spoofing
 2id: 0ed99dda-6a35-11ef-8c99-0242ac120002
 3related:
 4    - id: b07e58cf-cacc-4135-8473-ccb2eba63dd2
 5      type: similar
 6status: experimental
 7description: |
 8    Detects the presence of "UWhRC....AAYBAAAA" pattern in command line.
 9    The pattern "1UWhRCAAAAA..BAAAA" is a base64-encoded signature that corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure.
10    Attackers can use this technique to coerce authentication from victim systems to attacker-controlled hosts.
11    It is one of the strong indicators of a Kerberos coercion attack, where adversaries manipulate DNS records
12    to spoof Service Principal Names (SPNs) and redirect authentication requests like in CVE-2025-33073.
13    If you see this pattern in the command line, it is likely an attempt to add spoofed Service Principal Names (SPNs) to DNS records,
14    or checking for the presence of such records through the `nslookup` command.    
15references:
16    - https://www.synacktiv.com/publications/ntlm-reflection-is-dead-long-live-ntlm-reflection-an-in-depth-analysis-of-cve-2025
17    - https://googleprojectzero.blogspot.com/2021/10/using-kerberos-for-authentication-relay.html
18author: Swachchhanda Shrawan Poudel (Nextron Systems)
19date: 2025-06-20
20tags:
21    - attack.collection
22    - attack.credential-access
23    - attack.persistence
24    - attack.privilege-escalation
25    - attack.t1557.001
26    - attack.t1187
27logsource:
28    category: process_creation
29    product: windows
30detection:
31    selection:
32        CommandLine|contains|all:
33            - 'UWhRCA'
34            - 'BAAAA'
35    condition: selection
36falsepositives:
37    - Unknown
38level: high