Skip to content

Hide Navigation Hide TOC

Potential Kerberos Coercion by Spoofing SPNs via DNS Manipulation (b07e58cf-cacc-4135-8473-ccb2eba63dd2)

Detects modifications to DNS records in Active Directory where the Distinguished Name (DN) contains a base64-encoded blob matching the pattern "1UWhRCAAAAA...BAAAA". This pattern corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure, commonly used in Kerberos coercion attacks. Adversaries may exploit this to coerce victim systems into authenticating to attacker-controlled hosts by spoofing SPNs via DNS. It is one of the strong indicators of a Kerberos coercion attack,. where adversaries manipulate DNS records to spoof Service Principal Names (SPNs) and redirect authentication requests like CVE-2025-33073. Please investigate the user account that made the changes, as it is likely a low-privileged account that has been compromised.

Cluster A Galaxy A Cluster B Galaxy B Level
DHCP Spoofing - T1557.003 (59ff91cd-1430-4075-8563-e6f15f4f9ff5) Attack Pattern Potential Kerberos Coercion by Spoofing SPNs via DNS Manipulation (b07e58cf-cacc-4135-8473-ccb2eba63dd2) Sigma-Rules 1
Adversary-in-the-Middle - T1557 (035bb001-ab69-4a0b-9f6c-2de8b09e1b9d) Attack Pattern DHCP Spoofing - T1557.003 (59ff91cd-1430-4075-8563-e6f15f4f9ff5) Attack Pattern 2