Potential Kerberos Coercion via DNS-Based SPN Spoofing

This detection identifies potential Kerberos coercion attempts via DNS-based SPN spoofing on Windows systems. The technique abuses MicrosoftDNS records, specifically looking for directory-service access or creation events (event codes 4662 and 5137) involving a MicrosoftDNS record that contains a base64-encoded blob matching the pattern “UWhRCA…BAAAA”. This blob pattern corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure, a known indicator of DNS-based SPN spoofing used in Kerberos coercion tradecraft. The goal is to detect adversaries coercing victim systems into authenticating to attacker-controlled hosts while requesting Kerberos tickets for legitimate services. This activity is typically observed within Windows Security Event Logs.

Attack Chain

1. The adversary gains initial access to a system with privileges to modify DNS records in Active Directory.
2. The attacker creates a new MicrosoftDNS record or modifies an existing one.
3. Within the DNS record, specifically in the AdditionalInfo or ObjectDN attributes, the attacker inserts a base64-encoded blob matching the pattern “UWhRCA…BAAAA”. This blob contains a marshaled CREDENTIAL_TARGET_INFORMATION structure.
4. The attacker configures the DNS record to point to an attacker-controlled host. This involves manipulating the record’s name and associated IP address.
5. The attacker triggers a victim system to resolve the manipulated DNS record, causing the victim to attempt Kerberos authentication with the attacker-controlled host, believing it to be a legitimate service.
6. The attacker intercepts the Kerberos authentication request.
7. The attacker relays the Kerberos ticket to a legitimate service, impersonating the victim system.
8. The attacker gains unauthorized access to the legitimate service using the relayed Kerberos ticket.

Impact

Successful Kerberos coercion can grant attackers unauthorized access to critical systems and services within the Active Directory domain. This may lead to privilege escalation, lateral movement, data exfiltration, and other malicious activities. The scope of impact depends on the permissions and access rights of the coerced victim system and the targeted services.

Recommendation

• Enable “Audit Directory Service Access” and “Audit Directory Service Changes” Windows audit policies to ensure relevant events are logged (Setup section).
• Deploy the Sigma rules provided in this brief to your SIEM to detect potential Kerberos coercion attempts via DNS-based SPN spoofing. Tune the rules based on your environment and known legitimate activity.
• Investigate any alerts generated by the Sigma rules, focusing on the associated user accounts, systems, and modified DNS records (rule titles).
• Restrict access to modify DNS records in Active Directory to only authorized personnel and systems to prevent unauthorized manipulation (Overview section).
• Monitor Windows Security authentication events for any suspicious Kerberos activity following the modification of DNS records (Attack Chain steps 5-8).