Potential Kerberos Coercion via DNS-Based SPN Spoofing

Last updated 18 days ago on 2026-04-24

Created a year ago on 2025-06-14

About

Identifies directory-service access or creation events involving a MicrosoftDNS record that contains a base64-encoded blob matching the pattern "UWhRCA...BAAAA". This blob pattern corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure associated with DNS-based SPN spoofing used in Kerberos coercion tradecraft. Adversaries may abuse such records to coerce victim systems into authenticating to attacker-controlled hosts while requesting Kerberos tickets for legitimate services.

Tags

Domain: EndpointOS: WindowsUse Case: Threat DetectionTactic: Credential AccessData Source: Active DirectoryUse Case: Active Directory MonitoringData Source: Windows Security Event LogsLanguage: kuery

Severity

high

Risk Score

MITRE ATT&CK™

Credential Access (TA0006)(external, opens in a new tab or window)

↳ Adversary-in-the-Middle (T1557)(external, opens in a new tab or window)

↳ Forced Authentication (T1187)(external, opens in a new tab or window)

License

Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type

Query (Kibana Query Language)

Integration Pack

Prebuilt Security Detection Rules

Index Patterns

logs-system.security*logs-windows.forwarded*winlogbeat-*

Related Integrations

system(external, opens in a new tab or window)

windows(external, opens in a new tab or window)

Query

✄𐘗text code block:
✄𐘗host.os.type:"windows" and
(
  (event.code:4662 and winlog.event_data.AdditionalInfo: *UWhRC*BAAAA*MicrosoftDNS*) or 
  (event.code:5137 and winlog.event_data.ObjectDN: *UWhRC*BAAAA*MicrosoftDNS*)
)

Install detection rules in Elastic Security

Detect Potential Kerberos Coercion via DNS-Based SPN Spoofing in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).