Attempts of Kerberos Coercion Via DNS SPN Spoofing

 1title: Attempts of Kerberos Coercion Via DNS SPN Spoofing
 2id: 0ed99dda-6a35-11ef-8c99-0242ac120002
 3related:
 4    - id: b07e58cf-cacc-4135-8473-ccb2eba63dd2
 5      type: similar
 6status: experimental
 7description: |
 8    Detects the presence of "UWhRC....AAYBAAAA" pattern in command line.
 9    The pattern "1UWhRCAAAAA..BAAAA" is a base64-encoded signature that corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure.
10    Attackers can use this technique to coerce authentication from victim systems to attacker-controlled hosts.
11    It is one of the strong indicators of a Kerberos coercion attack, where adversaries manipulate DNS records
12    to spoof Service Principal Names (SPNs) and redirect authentication requests like in CVE-2025-33073.
13    If you see this pattern in the command line, it is likely an attempt to add spoofed Service Principal Names (SPNs) to DNS records,
14    or checking for the presence of such records through the `nslookup` command.    
15references:
16    - https://www.synacktiv.com/publications/ntlm-reflection-is-dead-long-live-ntlm-reflection-an-in-depth-analysis-of-cve-2025
17    - https://googleprojectzero.blogspot.com/2021/10/using-kerberos-for-authentication-relay.html
18author: Swachchhanda Shrawan Poudel (Nextron Systems)
19date: 2025-06-20
20tags:
21    - attack.credential-access
22    - attack.persistence
23    - attack.privilege-escalation
24    - attack.t1557.001
25    - attack.t1187
26logsource:
27    category: process_creation
28    product: windows
29detection:
30    selection:
31        CommandLine|contains|all:
32            - 'UWhRCA'
33            - 'BAAAA'
34    condition: selection
35falsepositives:
36    - Unknown
37level: high