Potential Kerberos Coercion via DNS-Based SPN Spoofing

Author: Elastic
Source: upstream

Identifies the creation of a DNS record containing a base64-encoded blob matching the pattern "UWhRCA...BAAAA". This pattern corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure, commonly used in Kerberos coercion attacks. It is associated with tools and techniques that exploit SPN spoofing via DNS. Adversaries may abuse this to coerce victim systems into authenticating to attacker-controlled hosts while requesting Kerberos tickets for legitimate services (often the victim's own identity). This enables reflective Kerberos relay attacks, potentially resulting in privileged access such as NT AUTHORITY\SYSTEM, without relying on NTLM fallback.

MITRE ATT&CK coverage

Tactic	Techniques
Credential Access	`T1187` Forced Authentication, `T1557` Adversary-in-the-Middle, `T1557.001` Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay
Collection	`T1557` Adversary-in-the-Middle, `T1557.001` Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay

Event coverage

Provider	Event ID	Title
Security-Auditing	4662	An operation was performed on an object.
Security-Auditing	5137	A directory service object was created.

Stages and Predicates

Stage 1: `kql:query`

(winlog.event_data.AdditionalInfo:"*UWhRC*BAAAA*MicrosoftDNS*" or winlog.event_data.ObjectDN:"*UWhRC*BAAAA*MicrosoftDNS*")

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`winlog.event_data.AdditionalInfo`	wildcard	`UWhRCBAAAAMicrosoftDNS`
`winlog.event_data.ObjectDN`	wildcard	`UWhRCBAAAAMicrosoftDNS`

Neighbors

Often fire together

Rules that target events appearing in the same incident timelines. They pattern-match on adjacent steps of the same TTP, so an alert from one is often paired with alerts from these. Useful for triage context and for assembling chained-detection rules.

Suspicious Remote Registry Access via SeBackupPrivilege [elastic]
Startup/Logon Script added to Group Policy Object [elastic]
Scheduled Task Execution at Scale via GPO [elastic]
Persistence and Execution at Scale via GPO Scheduled Task [sigma]
Potential Kerberos Coercion by Spoofing SPNs via DNS Manipulation [sigma]
Startup/Logon Script Added to Group Policy Object [sigma]
Windows AD Short Lived Server Object [splunk]
Windows Administrative Shares Accessed On Multiple Hosts [splunk]

Share event IDs (chain-detection candidates)

Rules that observe the same Windows event-ID pairs as this one. If you're authoring a multi-stage / sequence rule that spans these events, these are the existing detections that already cover one or both endpoints.

Potential Kerberos Coercion by Spoofing SPNs via DNS Manipulation [sigma]
Windows Kerberos Coercion via DNS [splunk]