Techniques
Sample rules
Windows Kerberos Coercion via DNS
- source: splunk
- technicques:
- T1071.004
- T1557.001
- T1187
Description
Detects DNS-based Kerberos coercion attacks where adversaries inject marshaled credential structures into DNS records to spoof SPNs and redirect authentication such as in CVE-2025-33073. This detection leverages Windows Security Event Codes 5136, 5137, 4662, looking for DNS events with specific CREDENTIAL_TARGET_INFORMATION entries.
Detection logic
`wineventlog_security` (((EventCode="5136" OR EventCode="5137") ObjectClass="dnsNode" ObjectDN="*1UWhRCA*" ObjectDN="*AAAAA*" ObjectDN="*YBAAAA*") OR (EventCode="4662" AdditionalInfo="*1UWhRCA*" AdditionalInfo="*AAAAA*" AdditionalInfo="*YBAAAA*"))
| eval Object=coalesce(lower(ObjectGUID), trim(AdditionalInfo2, "%{}"))
| eval user=coalesce(SubjectUserName, Caller_User_Name)
| stats min(_time) as firstTime, max(_time) as lastTime values(EventCode) as event_codes values(ObjectDN) as dns_record values(user) as user values(Computer) as dest by Object
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_kerberos_coercion_via_dns_filter`