<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Metasploit - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/metasploit/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/metasploit/feed.xml" rel="self" type="application/rss+xml"/><item><title>DNS Kerberos Coercion Attempt Detection</title><link>https://feed.craftedsignal.io/briefs/2024-01-03-dns-kerberos-coercion/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-03-dns-kerberos-coercion/</guid><description>This brief details the detection of DNS-based Kerberos coercion attacks, where adversaries inject marshaled credential structures into DNS records to spoof SPNs and redirect authentication, as seen in CVE-2025-33073, using Suricata and Sysmon event ID 22.</description><content:encoded><![CDATA[<p>This brief addresses the threat of DNS-based Kerberos coercion attacks, which are designed to compromise authentication processes within a network. Attackers inject specifically crafted marshaled credential structures, identified by patterns like '<em>1UWhRC</em>', '<em>AAAAA</em>', and '<em>YBAAAA</em>', into DNS records. This injection allows the attacker to spoof Service Principal Names (SPNs) and redirect authentication requests, potentially leading to unauthorized access and lateral movement. The attack leverages vulnerabilities such as CVE-2025-33073. This activity has been observed leveraging both Suricata network monitoring and Windows Sysmon (Event ID 22) to detect the presence of these malicious DNS queries. Detection of this activity is critical to prevent Kerberos relay attacks and maintain the integrity of network authentication.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker gains initial access to a compromised host within the network.</li>
<li>The attacker crafts a malicious DNS query containing marshaled <code>CREDENTIAL_TARGET_INFORMATION</code> structures.</li>
<li>The compromised host sends the malicious DNS query to the internal DNS server.</li>
<li>The DNS server processes the query, unknowingly forwarding the malicious data.</li>
<li>The attacker intercepts the DNS response and uses the spoofed SPN to initiate a Kerberos authentication request.</li>
<li>The target server authenticates to the attacker-controlled service, relaying credentials.</li>
<li>The attacker leverages the relayed credentials to gain unauthorized access to network resources.</li>
<li>The attacker escalates privileges and moves laterally within the network, achieving their final objective.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful Kerberos coercion attack can lead to significant compromise of a network. By relaying credentials, attackers can gain unauthorized access to critical systems and data. While the exact number of potential victims is unknown, the impact can range from data breaches to complete network takeover. Sectors relying on Kerberos for authentication, such as government, finance, and healthcare, are particularly vulnerable. Successful exploitation allows attackers to escalate privileges, move laterally, and ultimately achieve their objectives, including data exfiltration or ransomware deployment.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Ensure that DNS data is properly ingested and correlated with the Network Resolution data model in your SIEM to facilitate detection using the provided search query.</li>
<li>Implement the provided Sigma rules to detect suspicious DNS queries containing marshaled credential structures based on Suricata and Sysmon event ID 22 logs.</li>
<li>Investigate and patch CVE-2025-33073 on all affected systems to prevent exploitation of the vulnerability.</li>
<li>Review and tune the provided Sigma rules for false positives, filtering as needed for your organization's specific environment based on the known false positives.</li>
<li>Enable Sysmon Event ID 22 logging to enhance visibility into DNS query activity on Windows endpoints.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>kerberos</category><category>coercion</category><category>dns</category><category>cve-2025-33073</category></item></channel></rss>