Skip to content

Hide Navigation Hide TOC

Suspicious DNS Query Indicating Kerberos Coercion via DNS Object SPN Spoofing (e7a21b5f-d8c4-4ae5-b8d9-93c5d3f28e1c)

Detects DNS queries containing patterns associated with Kerberos coercion attacks via DNS object spoofing. The pattern "1UWhRCAAAAA..BAAAA" is a base64-encoded signature that corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure. Attackers can use this technique to coerce authentication from victim systems to attacker-controlled hosts. It is one of the strong indicators of a Kerberos coercion attack, where adversaries manipulate DNS records to spoof Service Principal Names (SPNs) and redirect authentication requests like CVE-2025-33073.

Cluster A Galaxy A Cluster B Galaxy B Level
Suspicious DNS Query Indicating Kerberos Coercion via DNS Object SPN Spoofing (e7a21b5f-d8c4-4ae5-b8d9-93c5d3f28e1c) Sigma-Rules LLMNR/NBT-NS Poisoning and SMB Relay - T1557.001 (650c784b-7504-4df7-ab2c-4ea882384d1e) Attack Pattern 1
Suspicious DNS Query Indicating Kerberos Coercion via DNS Object SPN Spoofing (e7a21b5f-d8c4-4ae5-b8d9-93c5d3f28e1c) Sigma-Rules Forced Authentication - T1187 (b77cf5f3-6060-475d-bd60-40ccbf28fdc2) Attack Pattern 1
Adversary-in-the-Middle - T1557 (035bb001-ab69-4a0b-9f6c-2de8b09e1b9d) Attack Pattern LLMNR/NBT-NS Poisoning and SMB Relay - T1557.001 (650c784b-7504-4df7-ab2c-4ea882384d1e) Attack Pattern 2