Title:Suspicious DNS Query Indicating Kerberos Coercion via DNS Object SPN Spoofing - Network Status:experimental Description:Detects DNS queries containing patterns associated with Kerberos coercion attacks via DNS object spoofing.
The pattern "1UWhRCAAAAA..BAAAA" is a base64-encoded signature that corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure.
Attackers can use this technique to coerce authentication from victim systems to attacker-controlled hosts.
It is one of the strong indicators of a Kerberos coercion attack, where adversaries manipulate DNS records
to spoof Service Principal Names (SPNs) and redirect authentication requests like CVE-2025-33073.
References: -https://www.synacktiv.com/publications/ntlm-reflection-is-dead-long-live-ntlm-reflection-an-in-depth-analysis-of-cve-2025 -https://googleprojectzero.blogspot.com/2021/10/using-kerberos-for-authentication-relay.html Author: Swachchhanda Shrawan Poudel (Nextron Systems) Date: 2025-06-20 modified:None Tags:
