Potential Kerberos Coercion by Spoofing SPNs via DNS Manipulation

Severity: high
Author: Swachchhanda Shrawan Poudel (Nextron Systems)
Source: upstream

Detects modifications to DNS records in Active Directory where the Distinguished Name (DN) contains a base64-encoded blob matching the pattern "1UWhRCAAAAA...BAAAA". This pattern corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure, commonly used in Kerberos coercion attacks. Adversaries may exploit this to coerce victim systems into authenticating to attacker-controlled hosts by spoofing SPNs via DNS. It is one of the strong indicators of a Kerberos coercion attack,. where adversaries manipulate DNS records to spoof Service Principal Names (SPNs) and redirect authentication requests like CVE-2025-33073. Please investigate the user account that made the changes, as it is likely a low-privileged account that has been compromised.

MITRE ATT&CK coverage

Tactic	Techniques
Credential Access	`T1557.003` Adversary-in-the-Middle: DHCP Spoofing
Collection	`T1557.003` Adversary-in-the-Middle: DHCP Spoofing

Event coverage

Provider	Event ID	Title
Security-Auditing	4662	An operation was performed on an object.
Security-Auditing	5136	A directory service object was modified.
Security-Auditing	5137	A directory service object was created.

Stages and Predicates

Stage 1: `1 of selection_directory_service_changes`

ObjectClass: dnsNode
ObjectDN|contains: BAAAA
ObjectDN|contains: 'CN=MicrosoftDNS'
ObjectDN|contains: UWhRCA

Stage 2: `1 of selection_directory_service_access`

AdditionalInfo|contains: BAAAA
AdditionalInfo|contains: 'CN=MicrosoftDNS'
AdditionalInfo|contains: UWhRCA

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`AdditionalInfo`	match	`BAAAA` `CN=MicrosoftDNS` `UWhRCA`
`ObjectClass`	eq	`dnsNode` corpus 3 (sigma 2, elastic 1)
`ObjectDN`	match	`BAAAA` `CN=MicrosoftDNS` `UWhRCA`

Neighbors

Often fire together

Rules that target events appearing in the same incident timelines. They pattern-match on adjacent steps of the same TTP, so an alert from one is often paired with alerts from these. Useful for triage context and for assembling chained-detection rules.

Potential Kerberos Coercion via DNS-Based SPN Spoofing [elastic]
Suspicious Remote Registry Access via SeBackupPrivilege [elastic]
Startup/Logon Script added to Group Policy Object [elastic]
Scheduled Task Execution at Scale via GPO [elastic]
Persistence and Execution at Scale via GPO Scheduled Task [sigma]
Startup/Logon Script Added to Group Policy Object [sigma]
Windows AD Short Lived Server Object [splunk]
Windows Administrative Shares Accessed On Multiple Hosts [splunk]

Share event IDs (chain-detection candidates)

Rules that observe the same Windows event-ID pairs as this one. If you're authoring a multi-stage / sequence rule that spans these events, these are the existing detections that already cover one or both endpoints.

Potential Kerberos Coercion via DNS-Based SPN Spoofing [elastic]
Windows Group Policy Object Created [splunk]
Windows Kerberos Coercion via DNS [splunk]
Windows Short Lived DNS Record [splunk]