{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/cpes/cpe2.3omicrosoftwindows_10_21h2/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":["cpe:2.3:o:microsoft:windows_10_1507:*:*:*:*:*:*:x64:*","cpe:2.3:o:microsoft:windows_10_1507:*:*:*:*:*:*:x86:*","cpe:2.3:o:microsoft:windows_10_1607:*:*:*:*:*:*:x64:*","cpe:2.3:o:microsoft:windows_10_1607:*:*:*:*:*:*:x86:*","cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:x64:*","cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:x86:*","cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:*:*","cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:*:*","cpe:2.3:o:microsoft:windows_11_22h2:*:*:*:*:*:*:*:*","cpe:2.3:o:microsoft:windows_11_23h2:*:*:*:*:*:*:*:*","cpe:2.3:o:microsoft:windows_11_24h2:*:*:*:*:*:*:*:*","cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:x64:*","cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:x86:*","cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*","cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*","cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*","cpe:2.3:o:microsoft:windows_server_2016:*:*:*:*:*:*:*:*","cpe:2.3:o:microsoft:windows_server_2019:*:*:*:*:*:*:*:*","cpe:2.3:o:microsoft:windows_server_2022:*:*:*:*:*:*:*:*","cpe:2.3:o:microsoft:windows_server_2022_23h2:*:*:*:*:*:*:*:*","cpe:2.3:a:fortinet:fortiproxy:*:*:*:*:*:*:*:*","cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:*","cpe:2.3:a:fortinet:fortianalyzer:*:*:*:*:*:*:*:*","cpe:2.3:a:fortinet:fortimanager:*:*:*:*:*:*:*:*","cpe:2.3:a:fortinet:fortinac-f:*:*:*:*:*:*:*:*","cpe:2.3:a:fortinet:fortiweb:*:*:*:*:*:*:*:*","cpe:2.3:o:siemens:ruggedcom_ape1808_firmware:-:*:*:*:*:*:*:*","cpe:2.3:a:fortinet:fortiswitchmanager:*:*:*:*:*:*:*:*","cpe:2.3:a:fortinet:fortiweb:8.0.0:*:*:*:*:*:*:*"],"_cs_cves":[{"cvss":8.8,"id":"CVE-2025-33073"},{"cvss":9.8,"id":"CVE-2024-55591"},{"cvss":9.8,"id":"CVE-2026-24858"},{"cvss":9.8,"id":"CVE-2025-59718"},{"cvss":9.8,"id":"CVE-2025-59719"}],"_cs_exploited":false,"_cs_has_poc":true,"_cs_poc_references":[],"_cs_products":["Fortinet edge appliances","Cisco edge appliances","OWA/M365","BIG-IP Virtual Edition (VE)","Confluence Data Center","Microsoft Defender XDR","Defender","BIG-IP","Confluence","Exchange Server","nx.dev","Metasploit","VMware Aria Operations","Fortinet FortiGate","Cisco","Microsoft software","Rocket.Chat","Fortinet firewalls","Fortinet VPN gateways","FortiCloud SSO Login","FortiGate","FortiCloud SSO","FortiOS","FortiCloud","FortiManager","FortiAnalyzer","FortiProxy","FortiSwitchManager","FortiWeb"],"_cs_severities":["high"],"_cs_tags":["kerberos","coercion","dns","cve-2025-33073"],"_cs_type":"advisory","_cs_vendors":["Fortinet","Cisco","Microsoft","F5","Atlassian","VMware","SAP","Ivanti","GitHub","Nx","Rocket.Chat"],"content_html":"\u003cp\u003eThis brief addresses the threat of DNS-based Kerberos coercion attacks, which are designed to compromise authentication processes within a network. Attackers inject specifically crafted marshaled credential structures, identified by patterns like '\u003cem\u003e1UWhRC\u003c/em\u003e', '\u003cem\u003eAAAAA\u003c/em\u003e', and '\u003cem\u003eYBAAAA\u003c/em\u003e', into DNS records. This injection allows the attacker to spoof Service Principal Names (SPNs) and redirect authentication requests, potentially leading to unauthorized access and lateral movement. The attack leverages vulnerabilities such as CVE-2025-33073. This activity has been observed leveraging both Suricata network monitoring and Windows Sysmon (Event ID 22) to detect the presence of these malicious DNS queries. Detection of this activity is critical to prevent Kerberos relay attacks and maintain the integrity of network authentication.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to a compromised host within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious DNS query containing marshaled \u003ccode\u003eCREDENTIAL_TARGET_INFORMATION\u003c/code\u003e structures.\u003c/li\u003e\n\u003cli\u003eThe compromised host sends the malicious DNS query to the internal DNS server.\u003c/li\u003e\n\u003cli\u003eThe DNS server processes the query, unknowingly forwarding the malicious data.\u003c/li\u003e\n\u003cli\u003eThe attacker intercepts the DNS response and uses the spoofed SPN to initiate a Kerberos authentication request.\u003c/li\u003e\n\u003cli\u003eThe target server authenticates to the attacker-controlled service, relaying credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the relayed credentials to gain unauthorized access to network resources.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges and moves laterally within the network, achieving their final objective.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful Kerberos coercion attack can lead to significant compromise of a network. By relaying credentials, attackers can gain unauthorized access to critical systems and data. While the exact number of potential victims is unknown, the impact can range from data breaches to complete network takeover. Sectors relying on Kerberos for authentication, such as government, finance, and healthcare, are particularly vulnerable. Successful exploitation allows attackers to escalate privileges, move laterally, and ultimately achieve their objectives, including data exfiltration or ransomware deployment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnsure that DNS data is properly ingested and correlated with the Network Resolution data model in your SIEM to facilitate detection using the provided search query.\u003c/li\u003e\n\u003cli\u003eImplement the provided Sigma rules to detect suspicious DNS queries containing marshaled credential structures based on Suricata and Sysmon event ID 22 logs.\u003c/li\u003e\n\u003cli\u003eInvestigate and patch CVE-2025-33073 on all affected systems to prevent exploitation of the vulnerability.\u003c/li\u003e\n\u003cli\u003eReview and tune the provided Sigma rules for false positives, filtering as needed for your organization's specific environment based on the known false positives.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon Event ID 22 logging to enhance visibility into DNS query activity on Windows endpoints.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-08T17:39:40Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-03-dns-kerberos-coercion/","summary":"This brief details the detection of DNS-based Kerberos coercion attacks, where adversaries inject marshaled credential structures into DNS records to spoof SPNs and redirect authentication, as seen in CVE-2025-33073, using Suricata and Sysmon event ID 22.","title":"DNS Kerberos Coercion Attempt Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-03-dns-kerberos-coercion/"}],"language":"en","title":"CraftedSignal Threat Feed - Cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:*:*","version":"https://jsonfeed.org/version/1.1"}