Detection rules › Splunk
DNS Kerberos Coercion
Detects DNS-based Kerberos coercion attacks where adversaries inject marshaled credential structures into DNS records to spoof SPNs and redirect authentication such as in CVE-2025-33073. This detection leverages suricata looking for specific CREDENTIAL_TARGET_INFORMATION structures in DNS queries.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Credential Access | T1187 Forced Authentication, T1557.001 Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay |
| Collection | T1557.001 Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay |
| Command & Control | T1071.004 Application Layer Protocol: DNS |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 22 | DNSEvent (DNS query) |
Stages and Predicates
Stage 1: tstats
tstats WHERE DNS.query="*1UWhRC*" DNS.query="*AAAAA*" DNS.query="*YBAAAA*" BY DNS.answer, DNS.answer_count, DNS.query, DNS.query_count, DNS.reply_code_id, DNS.src, DNS.vendor_product
Stage 2: search
search
Stage 3: search
search
Stage 4: search
search
Stage 5: table
table count, dest, firstTime, lastTime, query, src
Stage 6: search
search `macro`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
DNS.query | eq |
|