Tag
high
advisory
Potential Kerberos Coercion via DNS-Based SPN Spoofing
2 rules 1 TTPAdversaries may abuse MicrosoftDNS records containing a base64-encoded blob to coerce victim systems into authenticating to attacker-controlled hosts while requesting Kerberos tickets for legitimate services, detected via directory-service access events.
Active Directory
kerberos
coercion
dns
spn
spoofing
credential-access
2r
1t
medium
advisory
User Account ServicePrincipalName Attribute Modified
2 rules 2 TTPsDetection of modifications to the servicePrincipalName attribute on user accounts, potentially exposing them to Kerberoasting attacks by allowing attackers to request Kerberos tickets for the account.
Active Directory
kerberoasting
credential-access
windows
spn
2r
2t