LoFP LoFP / it's unlikely that a dns entry contains the specific structure used by this attack. filter as needed for your organization.

Techniques

Sample rules

DNS Kerberos Coercion

Description

Detects DNS-based Kerberos coercion attacks where adversaries inject marshaled credential structures into DNS records to spoof SPNs and redirect authentication such as in CVE-2025-33073. This detection leverages suricata looking for specific CREDENTIAL_TARGET_INFORMATION structures in DNS queries.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(DNS.src) as src values(DNS.dest) as dest from datamodel=Network_Resolution where DNS.query="*1UWhRC*" DNS.query="*AAAAA*" DNS.query="*YBAAAA*" by DNS.answer DNS.answer_count DNS.query DNS.query_count DNS.reply_code_id DNS.src DNS.vendor_product 
| `drop_dm_object_name(DNS)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| table firstTime lastTime query count src dest 
| `dns_kerberos_coercion_filter`