LoFP LoFP / it's unlikely that a dns entry contains the specific structure used by this attack. filter as needed for your organization.

Techniques

Sample rules

DNS Kerberos Coercion

Description

Detects DNS-based Kerberos coercion attacks where adversaries inject marshaled credential structures into DNS records to spoof SPNs and redirect authentication such as in CVE-2025-33073. This detection leverages suricata looking for specific CREDENTIAL_TARGET_INFORMATION structures in DNS queries.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(DNS.src) as src values(DNS.dest) as dest FROM datamodel=Network_Resolution
  WHERE DNS.query="*1UWhRC*" DNS.query="*AAAAA*" DNS.query="*YBAAAA*"
  BY DNS.answer DNS.answer_count DNS.query
     DNS.query_count DNS.reply_code_id DNS.src
     DNS.vendor_product

| `drop_dm_object_name(DNS)`

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| table firstTime lastTime query count src dest

| `dns_kerberos_coercion_filter`