Skip to content

Hide Navigation Hide TOC

Attempts of Kerberos Coercion Via DNS SPN Spoofing (0ed99dda-6a35-11ef-8c99-0242ac120002)

Detects the presence of "UWhRC....AAYBAAAA" pattern in command line. The pattern "1UWhRCAAAAA..BAAAA" is a base64-encoded signature that corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure. Attackers can use this technique to coerce authentication from victim systems to attacker-controlled hosts. It is one of the strong indicators of a Kerberos coercion attack, where adversaries manipulate DNS records to spoof Service Principal Names (SPNs) and redirect authentication requests like in CVE-2025-33073. If you see this pattern in the command line, it is likely an attempt to add spoofed Service Principal Names (SPNs) to DNS records, or checking for the presence of such records through the nslookup command.

Cluster A Galaxy A Cluster B Galaxy B Level
Attempts of Kerberos Coercion Via DNS SPN Spoofing (0ed99dda-6a35-11ef-8c99-0242ac120002) Sigma-Rules LLMNR/NBT-NS Poisoning and SMB Relay - T1557.001 (650c784b-7504-4df7-ab2c-4ea882384d1e) Attack Pattern 1
Attempts of Kerberos Coercion Via DNS SPN Spoofing (0ed99dda-6a35-11ef-8c99-0242ac120002) Sigma-Rules Forced Authentication - T1187 (b77cf5f3-6060-475d-bd60-40ccbf28fdc2) Attack Pattern 1
Adversary-in-the-Middle - T1557 (035bb001-ab69-4a0b-9f6c-2de8b09e1b9d) Attack Pattern LLMNR/NBT-NS Poisoning and SMB Relay - T1557.001 (650c784b-7504-4df7-ab2c-4ea882384d1e) Attack Pattern 2