Tag

Dns

7 briefs RSS

Potential Kerberos SPN Spoofing via Suspicious DNS Query

Detects suspicious DNS queries containing a base64-encoded blob, indicating potential Kerberos coercion attacks and SPN spoofing via DNS to coerce authentication to attacker-controlled hosts, enabling Kerberos or NTLM relay attacks.

Elastic Defend credential-access kerberos spn-spoofing dns windows

2r 1t 3d ago

medium advisory

Hickory DNS Recursor Cache Poisoning via Sibling Zone Delegation

2 rules

The experimental `hickory-recursor` crate in Hickory DNS is vulnerable to cross-zone cache poisoning due to storing DNS records keyed by record name/type instead of query, enabling an attacker to redirect queries for a victim zone to an attacker-controlled nameserver.

hickory-recursor +1 dns cache-poisoning zone-delegation

2r 4d ago

high advisory

Internet Systems Consortium BIND Vulnerabilities Leading to Denial of Service

2 rules 1 TTP

Multiple vulnerabilities in Internet Systems Consortium BIND can be exploited by a remote attacker to conduct a denial of service attack or bypass security measures.

dns denial-of-service bind

2r 1t Mar 30, 2026

high advisory

Potential Kerberos Coercion via DNS-Based SPN Spoofing

2 rules 1 TTP

Adversaries may abuse MicrosoftDNS records containing a base64-encoded blob to coerce victim systems into authenticating to attacker-controlled hosts while requesting Kerberos tickets for legitimate services, detected via directory-service access events.

Active Directory kerberos coercion dns spn spoofing credential-access

2r 1t Jan 26, 2024

medium advisory

RMM Domain DNS Queries from Non-Browser Processes

2 rules 75 IOCs

Detects DNS queries to commonly abused remote monitoring and management (RMM) or remote access software domains from non-browser processes, potentially indicating unauthorized remote access or command and control activity.

Elastic Defend +9 command-and-control rmm dns

2r 75i Jan 3, 2024

high advisory

Suspicious DNS Queries to Telegram API by Non-Telegram Processes

2 rules 2 TTPs 1 IOC

Detection of a process making DNS queries to the Telegram API domain, which is indicative of malware utilizing Telegram bots for command and control (C2) communications.

Splunk Enterprise +2 telegram command-and-control dns windows

2r 2t 1i Jan 3, 2024

high advisory

CoreDNS Transfer Plugin ACL Bypass Vulnerability

2 rules 1 TTP

CoreDNS' transfer plugin prior to version 1.14.3 can select the wrong ACL stanza due to lexicographic comparison, leading to unauthorized zone transfers by clients intended to be denied by subzone-specific transfer policies.

CoreDNS cve-2026-33489 acl-bypass dns zone-transfer

2r 1t Jan 3, 2024