Analytics Story: Kerberos Coercion with DNS
Description
Detects Kerberos coercion attacks via DNS manipulation. Identifies DNS record modifications where the Distinguished Name contains a base64-encoded CREDENTIAL_TARGET_INFORMATION structure.
Why it matters
CVE-2025-33073 is a critical vulnerability related to Kerberos Reflection attacks impacting Active Directory environments. The journey began with a configuration involving a Domain Controller set up in a lab environment where offensive tradecraft was being developed. The attacker utilized a DNS record manipulation technique that involved appending a specific "magic string" to the hostname, which ultimately enabled successful coercive authentication, leading to remote code execution as SYSTEM.
Detections
Data Sources
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| Suricata | Other | suricata |
suricata |
| Sysmon EventID 1 |  Windows |
XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
| Sysmon EventID 22 | Windows |
XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
| Windows Event Log Security 4662 | Windows |
XmlWinEventLog |
XmlWinEventLog:Security |
| Windows Event Log Security 5136 | Windows |
XmlWinEventLog |
XmlWinEventLog:Security |
| Windows Event Log Security 5137 | Windows |
XmlWinEventLog |
XmlWinEventLog:Security |
References
- https://web.archive.org/web/20250617122747/https://www.synacktiv.com/publications/ntlm-reflection-is-dead-long-live-ntlm-reflection-an-in-depth-analysis-of-cve-2025
- https://www.synacktiv.com/publications/relaying-kerberos-over-smb-using-krbrelayx
- https://www.guidepointsecurity.com/blog/the-birth-and-death-of-loopyticket/
Source: GitHub | Version: 1