Windows Kerberos Coercion via DNS

Author: Raven Tait, Splunk
Source: upstream

Detects DNS-based Kerberos coercion attacks where adversaries inject marshaled credential structures into DNS records to spoof SPNs and redirect authentication such as in CVE-2025-33073. This detection leverages Windows Security Event Codes 5136, 5137, 4662, looking for DNS events with specific CREDENTIAL_TARGET_INFORMATION entries.

MITRE ATT&CK coverage

Tactic	Techniques
Credential Access	`T1187` Forced Authentication, `T1557.001` Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay
Collection	`T1557.001` Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay
Command & Control	`T1071.004` Application Layer Protocol: DNS

Event coverage

Provider	Event ID	Title
Security-Auditing	4662	An operation was performed on an object.
Security-Auditing	5136	A directory service object was modified.
Security-Auditing	5137	A directory service object was created.

Stages and Predicates

Stage 1: `search`

search (((EventCode="5136" OR EventCode="5137") ObjectClass="dnsNode" ObjectDN="*1UWhRCA*" ObjectDN="*AAAAA*" ObjectDN="*YBAAAA*") OR (AdditionalInfo="*1UWhRCA*" AdditionalInfo="*AAAAA*" AdditionalInfo="*YBAAAA*" EventCode="4662"))

Stage 2: `eval`

eval ... using (AdditionalInfo2, ObjectGUID)

Stage 3: `eval`

eval ... using (Caller_User_Name, SubjectUserName)

Stage 4: `stats`

stats BY Object

Stage 5: `search`

search

Stage 6: `search`

search

Stage 7: `search`

search `macro`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`AdditionalInfo`	eq	`"1UWhRCA"` `"AAAAA"` `"YBAAAA"`
`EventCode`	eq	`"4662"` `"5136"` `"5137"`
`ObjectClass`	eq	`"dnsNode"` corpus 2 (splunk 2)
`ObjectDN`	eq	`"1UWhRCA"` `"AAAAA"` `"YBAAAA"`

Neighbors

Often fire together

Rules that target events appearing in the same incident timelines. They pattern-match on adjacent steps of the same TTP, so an alert from one is often paired with alerts from these. Useful for triage context and for assembling chained-detection rules.

Potential Kerberos Coercion via DNS-Based SPN Spoofing [elastic]
Suspicious Remote Registry Access via SeBackupPrivilege [elastic]
Startup/Logon Script added to Group Policy Object [elastic]
Scheduled Task Execution at Scale via GPO [elastic]
Persistence and Execution at Scale via GPO Scheduled Task [sigma]
Potential Kerberos Coercion by Spoofing SPNs via DNS Manipulation [sigma]
Startup/Logon Script Added to Group Policy Object [sigma]
Windows AD Short Lived Server Object [splunk]

Share event IDs (chain-detection candidates)

Rules that observe the same Windows event-ID pairs as this one. If you're authoring a multi-stage / sequence rule that spans these events, these are the existing detections that already cover one or both endpoints.

Potential Kerberos Coercion by Spoofing SPNs via DNS Manipulation [sigma]
Potential Kerberos Coercion via DNS-Based SPN Spoofing [elastic]
Windows Group Policy Object Created [splunk]
Windows Short Lived DNS Record [splunk]

Windows Kerberos Coercion via DNS

MITRE ATT&CK coverage

Event coverage

Stages and Predicates

Stage 1: search

Stage 2: eval

Stage 3: eval

Stage 4: stats

Stage 5: search

Stage 6: search

Stage 7: search