{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/spoofing/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.7,"id":"CVE-2026-39361"},{"cvss":8.5,"id":"CVE-2026-39974"},{"cvss":7.8,"id":"CVE-2026-32168"},{"cvss":8.8,"id":"CVE-2026-32171"},{"cvss":7.8,"id":"CVE-2026-32192"}],"_cs_exploited":false,"_cs_products":["Azure","Microsoft 365 Copilot","Dynamics 365","Power Apps"],"_cs_severities":["high"],"_cs_tags":["cloud","privilege-escalation","code-execution","spoofing"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eMultiple vulnerabilities have been reported affecting Microsoft Azure, Microsoft 365 Copilot, Microsoft Dynamics 365, and Microsoft Power Apps. Successful exploitation of these vulnerabilities could enable attackers to perform a variety of malicious actions, including escalating their privileges within the affected systems, executing arbitrary code to gain further control, and conducting spoofing attacks to deceive users or bypass security measures. The full details regarding specific vulnerability types and exploitation methods are currently unavailable, but the breadth of affected products indicates a potentially widespread impact across cloud-based Microsoft services. Defenders should prioritize monitoring for suspicious activity indicative of exploitation attempts targeting these services.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003cp\u003eSince the advisory lacks specifics, we will describe a generalized attack chain based on the potential vulnerabilities:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e The attacker gains initial access to a target environment, possibly through compromised credentials or a separate vulnerability.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e The attacker exploits a vulnerability within one of the Microsoft cloud products (Azure, Microsoft 365 Copilot, Dynamics 365, or Power Apps) to elevate their privileges to a higher level, potentially gaining administrative rights.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCode Injection:\u003c/strong\u003e Leveraging the escalated privileges, the attacker injects malicious code into a vulnerable component of the cloud service.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCode Execution:\u003c/strong\u003e The injected code is executed, allowing the attacker to perform arbitrary actions within the context of the compromised service.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e The attacker uses the compromised service as a pivot point to move laterally within the cloud environment, targeting other resources and services.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration/Manipulation:\u003c/strong\u003e Once established within the environment, the attacker exfiltrates sensitive data or manipulates data for malicious purposes.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSpoofing Attacks:\u003c/strong\u003e The attacker leverages the compromised environment to launch spoofing attacks, potentially targeting other users or systems with phishing emails or other deceptive tactics.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence:\u003c/strong\u003e The attacker establishes persistence within the cloud environment to maintain access even after the initial vulnerability is patched.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities could have significant consequences, including unauthorized access to sensitive data, disruption of critical business processes, and financial losses. The number of potential victims is substantial, given the widespread use of Microsoft cloud services across various sectors. A successful attack could result in data breaches, service outages, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor logs from Microsoft Azure, Microsoft 365 Copilot, Microsoft Dynamics 365, and Microsoft Power Apps for suspicious activity indicative of privilege escalation, code execution, and spoofing attacks.\u003c/li\u003e\n\u003cli\u003eEnable and review audit logs within the affected Microsoft cloud services to identify anomalous user behavior and potential security breaches.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to your SIEM and tune them for your specific environment to detect potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eFollow Microsoft\u0026rsquo;s official security advisories and apply any available patches or mitigations as soon as they are released.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-24T09:09:09Z","date_published":"2026-04-24T09:09:09Z","id":"/briefs/2026-04-microsoft-cloud-vulns/","summary":"Multiple vulnerabilities in Microsoft Azure, Microsoft 365 Copilot, Microsoft Dynamics 365, and Microsoft Power Apps could allow an attacker to escalate privileges, execute arbitrary code, and conduct spoofing attacks.","title":"Multiple Vulnerabilities in Microsoft Cloud Products Allow Privilege Escalation and Code Execution","url":"https://feed.craftedsignal.io/briefs/2026-04-microsoft-cloud-vulns/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["vulnerability","code-execution","spoofing","denial-of-service","information-disclosure","windows"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA cluster of vulnerabilities has been identified affecting several Microsoft developer tools, including Visual Studio, .NET Framework, .NET, PowerShell, and Visual Studio Code. While the specific CVEs are not detailed in the initial report, successful exploitation of these vulnerabilities could allow an attacker to achieve several malicious outcomes. These include the disclosure of sensitive information, spoofing attacks to deceive users or systems, causing denial-of-service conditions that disrupt availability, and evading security measures to gain unauthorized access. The ultimate impact could be the execution of arbitrary code on a vulnerable system, granting the attacker significant control. The scope of affected systems is potentially broad, considering the widespread use of these development tools in various environments. Defenders should prioritize identifying and mitigating these vulnerabilities to prevent exploitation and maintain system integrity.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a vulnerable instance of Microsoft Visual Studio, .NET Framework, .NET, PowerShell, or Visual Studio Code.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious input or exploit tailored to the specific vulnerability present in the targeted software.\u003c/li\u003e\n\u003cli\u003eThe malicious input is delivered to the vulnerable application. This could involve opening a specially crafted project file in Visual Studio, executing a malicious PowerShell script, or triggering a vulnerability through a .NET application.\u003c/li\u003e\n\u003cli\u003eExploitation of the vulnerability occurs, potentially leading to information disclosure, where sensitive data such as credentials or API keys are exposed.\u003c/li\u003e\n\u003cli\u003eAlternatively, the exploitation could enable a spoofing attack, where the attacker impersonates a legitimate user or service to gain unauthorized access.\u003c/li\u003e\n\u003cli\u003eThe attacker could also trigger a denial-of-service condition, rendering the application or system unavailable to legitimate users.\u003c/li\u003e\n\u003cli\u003eIf security measures are successfully bypassed, the attacker may gain the ability to execute arbitrary code on the affected system.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages arbitrary code execution to install malware, exfiltrate data, or further compromise the environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of these vulnerabilities could lead to a range of damaging outcomes. Sensitive information disclosure could expose proprietary code, credentials, or customer data. Spoofing attacks could facilitate phishing campaigns or unauthorized access to critical systems. Denial-of-service attacks could disrupt business operations and impact user productivity. The most severe outcome, arbitrary code execution, could allow attackers to gain full control of affected systems, potentially leading to data breaches, ransomware deployment, or other malicious activities. Given the ubiquitous nature of the affected tools, a successful campaign could impact numerous organizations and individuals.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable process monitoring to detect suspicious command-line arguments used with PowerShell, as exploitation might involve malicious scripts (reference: process_creation log source, PowerShell detection rules).\u003c/li\u003e\n\u003cli\u003eMonitor for unexpected network connections originating from Visual Studio or .NET processes, which could indicate command and control activity after successful code execution (reference: network_connection log source, network connection detection rules).\u003c/li\u003e\n\u003cli\u003eImplement file integrity monitoring to detect unauthorized modifications to critical system files or application binaries, as attackers might attempt to install backdoors or malware (reference: file_event log source).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-21T08:06:06Z","date_published":"2026-04-21T08:06:06Z","id":"/briefs/2026-04-ms-dev-tools-vulns/","summary":"Multiple vulnerabilities in Microsoft Visual Studio, .NET Framework, .NET, PowerShell, and Visual Studio Code can be exploited by an attacker to disclose sensitive information, conduct spoofing attacks, cause a denial of service, or bypass security measures, potentially leading to arbitrary code execution.","title":"Multiple Vulnerabilities in Microsoft Developer Tools","url":"https://feed.craftedsignal.io/briefs/2026-04-ms-dev-tools-vulns/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9,"id":"CVE-2026-26149"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["CVE-2026-26149","powerapps","spoofing"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-26149 describes a spoofing vulnerability affecting Microsoft Power Apps. While the specifics of exploitation are not detailed in the initial advisory, successful exploitation could allow an attacker to craft deceptive Power Apps or manipulate existing ones to display misleading information, potentially leading to credential theft or other forms of social engineering. The vulnerability\u0026rsquo;s impact is contingent on user interaction, as a user must be tricked into interacting with the spoofed application. Defenders should prioritize understanding the attack vectors and potential impact within their specific Power Apps implementations. Further investigation is needed to fully understand the scope of this vulnerability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable Microsoft Power App deployment.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious Power App or modifies an existing one to include spoofed content.\u003c/li\u003e\n\u003cli\u003eAttacker distributes the link to the malicious Power App to a target user, possibly via phishing.\u003c/li\u003e\n\u003cli\u003eTarget user, believing the app is legitimate, interacts with the spoofed elements within the Power App.\u003c/li\u003e\n\u003cli\u003eThe spoofed content prompts the user for sensitive information, such as credentials or personal data.\u003c/li\u003e\n\u003cli\u003eThe user enters their information, unknowingly sending it to the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen information to gain unauthorized access to other systems or data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-26149 could lead to credential theft, data breaches, or unauthorized access to sensitive resources within an organization using Microsoft Power Apps. The scope of the impact depends on the permissions and data accessible by the compromised user. While the exact number of potential victims is unknown, any organization relying on Power Apps is potentially vulnerable. The spoofing could be used in conjunction with other attacks, such as phishing campaigns, to further amplify the damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor Power Apps usage for suspicious activity, such as access from unusual locations or attempts to modify app configurations.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) to mitigate the risk of credential theft.\u003c/li\u003e\n\u003cli\u003eEducate users on how to identify and avoid phishing attacks targeting Power Apps.\u003c/li\u003e\n\u003cli\u003eContinuously monitor Microsoft\u0026rsquo;s security update guide for further information regarding CVE-2026-26149.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule for detecting suspicious Power Apps activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-20T14:00:00Z","date_published":"2026-04-20T14:00:00Z","id":"/briefs/2024-02-powerapps-spoofing/","summary":"A spoofing vulnerability exists in Microsoft Power Apps, identified as CVE-2026-26149, potentially allowing an attacker to mislead users or gain unauthorized access.","title":"CVE-2026-26149 Microsoft Power Apps Spoofing Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-02-powerapps-spoofing/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.1,"id":"CVE-2026-26151"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["cve-2026-26151","rdp","spoofing","windows"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-26151 is a security vulnerability affecting Windows Remote Desktop (RDP). The vulnerability stems from an insufficient UI warning mechanism when dangerous operations are about to be performed within an RDP session. An attacker could potentially exploit this to spoof legitimate actions or elements within the RDP interface, misleading the user into performing unintended actions. This vulnerability could be exploited by an attacker positioned on the same network as the victim, or through other means of network access. Successful exploitation could lead to information disclosure, unauthorized access, or other forms of compromise, depending on the specific actions spoofed. The vulnerability has a CVSS v3.1 score of 7.1, indicating a high severity.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains network access to a system that has an active RDP connection or will have an RDP connection in the future.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages their network position to intercept and manipulate RDP traffic.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits CVE-2026-26151 to inject spoofed UI elements into the RDP session.\u003c/li\u003e\n\u003cli\u003eThe victim, unaware of the spoofed UI, interacts with the malicious elements.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the spoofed UI to trick the user into performing unintended actions, such as providing credentials or running malicious commands.\u003c/li\u003e\n\u003cli\u003eIf credentials were stolen the attacker authenticates using the stolen credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker pivots to other systems on the internal network.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data exfiltration, deploying ransomware, or establishing persistent access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-26151 could allow an attacker to perform spoofing attacks via manipulated UI elements within the Remote Desktop session. This could lead to unauthorized access to sensitive information, credential theft, or the execution of arbitrary commands on the remote system. Depending on the compromised system\u0026rsquo;s role and privileges, this could potentially lead to wider compromise within the organization\u0026rsquo;s network. The impact can range from data breaches to system downtime and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the security update provided by Microsoft to patch CVE-2026-26151 as detailed in \u003ca href=\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26151\"\u003ehttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26151\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Suspicious RDP Clipbard Activity\u0026rdquo; to detect potential data exfiltration attempts via the clipboard during RDP sessions.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for anomalies associated with RDP connections, such as unexpected data transfers or connections from unusual source IPs, to complement the remediation of CVE-2026-26151.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-15T12:00:00Z","date_published":"2026-04-15T12:00:00Z","id":"/briefs/2026-04-rdp-spoofing/","summary":"CVE-2026-26151 is a spoofing vulnerability in Windows Remote Desktop due to an insufficient UI warning for dangerous operations, allowing an unauthorized attacker to perform spoofing over a network.","title":"Windows Remote Desktop Spoofing Vulnerability (CVE-2026-26151)","url":"https://feed.craftedsignal.io/briefs/2026-04-rdp-spoofing/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-32178"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["dotnet","spoofing","cve-2026-32178"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-32178 is a security vulnerability affecting .NET applications. This vulnerability stems from the improper neutralization of special elements, which can be exploited by an unauthorized attacker to perform spoofing attacks over a network. Successful exploitation of this vulnerability could allow an attacker to impersonate trusted entities or services, potentially leading to unauthorized access, data manipulation, or other malicious activities. The vulnerability was published on April 14, 2026. Given the widespread use of .NET in various applications and services, this vulnerability poses a significant risk to organizations utilizing affected .NET versions. Defenders need to implement appropriate mitigation strategies to prevent potential exploitation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable .NET application that processes network-based input.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious network request containing special elements designed to exploit the improper neutralization vulnerability (CVE-2026-32178).\u003c/li\u003e\n\u003cli\u003eThe vulnerable .NET application processes the malicious request without properly neutralizing the special elements.\u003c/li\u003e\n\u003cli\u003eDue to the lack of proper neutralization, the application misinterprets the special elements in the request.\u003c/li\u003e\n\u003cli\u003eThe application performs actions based on the misinterpreted data, such as modifying data or granting unauthorized access.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the spoofed identity or altered data to further compromise the system or network.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to sensitive resources.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-32178 could allow an attacker to perform network spoofing, potentially impacting confidentiality, integrity, and availability of affected systems. While the specific number of victims is unknown, the widespread use of .NET increases the potential for broad impact across various sectors. Consequences can range from data breaches and financial loss to reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the security update provided by Microsoft to patch CVE-2026-32178 as referenced in \u003ca href=\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32178\"\u003ehttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32178\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM to detect potential exploitation attempts targeting .NET applications.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for suspicious patterns indicative of spoofing attacks, focusing on traffic to and from .NET applications.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-14T18:17:20Z","date_published":"2026-04-14T18:17:20Z","id":"/briefs/2026-04-dotnet-spoofing/","summary":"CVE-2026-32178 is a vulnerability in .NET that allows for network spoofing due to improper neutralization of special elements, potentially enabling attackers to impersonate legitimate entities.","title":".NET Spoofing Vulnerability (CVE-2026-32178)","url":"https://feed.craftedsignal.io/briefs/2026-04-dotnet-spoofing/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Active Directory"],"_cs_severities":["high"],"_cs_tags":["kerberos","coercion","dns","spn","spoofing","credential-access"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection identifies potential Kerberos coercion attempts via DNS-based SPN spoofing on Windows systems. The technique abuses MicrosoftDNS records, specifically looking for directory-service access or creation events (event codes 4662 and 5137) involving a MicrosoftDNS record that contains a base64-encoded blob matching the pattern \u0026ldquo;UWhRCA\u0026hellip;BAAAA\u0026rdquo;. This blob pattern corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure, a known indicator of DNS-based SPN spoofing used in Kerberos coercion tradecraft. The goal is to detect adversaries coercing victim systems into authenticating to attacker-controlled hosts while requesting Kerberos tickets for legitimate services. This activity is typically observed within Windows Security Event Logs.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe adversary gains initial access to a system with privileges to modify DNS records in Active Directory.\u003c/li\u003e\n\u003cli\u003eThe attacker creates a new MicrosoftDNS record or modifies an existing one.\u003c/li\u003e\n\u003cli\u003eWithin the DNS record, specifically in the \u003ccode\u003eAdditionalInfo\u003c/code\u003e or \u003ccode\u003eObjectDN\u003c/code\u003e attributes, the attacker inserts a base64-encoded blob matching the pattern \u0026ldquo;UWhRCA\u0026hellip;BAAAA\u0026rdquo;. This blob contains a marshaled CREDENTIAL_TARGET_INFORMATION structure.\u003c/li\u003e\n\u003cli\u003eThe attacker configures the DNS record to point to an attacker-controlled host. This involves manipulating the record\u0026rsquo;s name and associated IP address.\u003c/li\u003e\n\u003cli\u003eThe attacker triggers a victim system to resolve the manipulated DNS record, causing the victim to attempt Kerberos authentication with the attacker-controlled host, believing it to be a legitimate service.\u003c/li\u003e\n\u003cli\u003eThe attacker intercepts the Kerberos authentication request.\u003c/li\u003e\n\u003cli\u003eThe attacker relays the Kerberos ticket to a legitimate service, impersonating the victim system.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to the legitimate service using the relayed Kerberos ticket.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful Kerberos coercion can grant attackers unauthorized access to critical systems and services within the Active Directory domain. This may lead to privilege escalation, lateral movement, data exfiltration, and other malicious activities. The scope of impact depends on the permissions and access rights of the coerced victim system and the targeted services.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable \u0026ldquo;Audit Directory Service Access\u0026rdquo; and \u0026ldquo;Audit Directory Service Changes\u0026rdquo; Windows audit policies to ensure relevant events are logged (Setup section).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to your SIEM to detect potential Kerberos coercion attempts via DNS-based SPN spoofing. Tune the rules based on your environment and known legitimate activity.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rules, focusing on the associated user accounts, systems, and modified DNS records (rule titles).\u003c/li\u003e\n\u003cli\u003eRestrict access to modify DNS records in Active Directory to only authorized personnel and systems to prevent unauthorized manipulation (Overview section).\u003c/li\u003e\n\u003cli\u003eMonitor Windows Security authentication events for any suspicious Kerberos activity following the modification of DNS records (Attack Chain steps 5-8).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-26T12:00:00Z","date_published":"2024-01-26T12:00:00Z","id":"/briefs/2024-01-kerberos-coercion-dns/","summary":"Adversaries may abuse MicrosoftDNS records containing a base64-encoded blob to coerce victim systems into authenticating to attacker-controlled hosts while requesting Kerberos tickets for legitimate services, detected via directory-service access events.","title":"Potential Kerberos Coercion via DNS-Based SPN Spoofing","url":"https://feed.craftedsignal.io/briefs/2024-01-kerberos-coercion-dns/"}],"language":"en","title":"CraftedSignal Threat Feed — Spoofing","version":"https://jsonfeed.org/version/1.1"}