From dc7cd1f75aec56bf5a016f29a02106eb54d3c7a5 Mon Sep 17 00:00:00 2001 From: swachchhanda000 Date: Fri, 20 Jun 2025 11:36:19 +0545 Subject: [PATCH 1/7] feat: Potential Kerberos Coercion by Spoofing SPNs via DNS Manipulation --- ...s_coercion_via_dns_object_spn_spoofing.yml | 35 +++++++++++++ ...urity_kerberos_coercion_via_dns_object.yml | 52 +++++++++++++++++++ ...beros_coercion_via_dns_object_spoofing.yml | 35 +++++++++++++ 3 files changed, 122 insertions(+) create mode 100644 rules/network/zeek/zeek_dns_kerberos_coercion_via_dns_object_spn_spoofing.yml create mode 100644 rules/windows/builtin/security/win_security_kerberos_coercion_via_dns_object.yml create mode 100644 rules/windows/dns_query/dns_query_win_kerberos_coercion_via_dns_object_spoofing.yml diff --git a/rules/network/zeek/zeek_dns_kerberos_coercion_via_dns_object_spn_spoofing.yml b/rules/network/zeek/zeek_dns_kerberos_coercion_via_dns_object_spn_spoofing.yml new file mode 100644 index 00000000000..aeb4bc5bc3b --- /dev/null +++ b/rules/network/zeek/zeek_dns_kerberos_coercion_via_dns_object_spn_spoofing.yml @@ -0,0 +1,35 @@ +title: Suspicious DNS Query Indicating Kerberos Coercion via DNS Object SPN Spoofing - Network +id: 5588576c-5898-4fac-bcdd-7475a60e8f43 +related: + - id: b07e58cf-cacc-4135-8473-ccb2eba63dd2 # Potential Kerberos Coercion via DNS Object Spoofing + type: similar + - id: e7a21b5f-d8c4-4ae5-b8d9-93c5d3f28e1c # Suspicious DNS Query Indicating Kerberos Coercion via DNS Object Spoofing + type: similar +status: experimental +description: | + Detects DNS queries containing patterns associated with Kerberos coercion attacks via DNS object spoofing. + The pattern "1UWhRCAAAAA..BAAAA" is a base64-encoded signature that corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure. + Attackers can use this technique to coerce authentication from victim systems to attacker-controlled hosts. + It is one of the strong indicators of a Kerberos coercion attack, where adversaries manipulate DNS records + to spoof Service Principal Names (SPNs) and redirect authentication requests like CVE-2025-33073. +references: + - https://www.synacktiv.com/publications/ntlm-reflection-is-dead-long-live-ntlm-reflection-an-in-depth-analysis-of-cve-2025 + - https://googleprojectzero.blogspot.com/2021/10/using-kerberos-for-authentication-relay.html +author: Swachchhanda Shrawan Poudel +date: 2025-06-13 +tags: + - attack.credential-access + - attack.persistence + - attack.privilege-escalation + - attack.t1557.001 + - attack.t1187 +logsource: + product: zeek + service: dns +detection: + selection: + query|contains: 'UWhRCA*BAA' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/builtin/security/win_security_kerberos_coercion_via_dns_object.yml b/rules/windows/builtin/security/win_security_kerberos_coercion_via_dns_object.yml new file mode 100644 index 00000000000..992dd6d92ac --- /dev/null +++ b/rules/windows/builtin/security/win_security_kerberos_coercion_via_dns_object.yml @@ -0,0 +1,52 @@ +title: Potential Kerberos Coercion by Spoofing SPNs via DNS Manipulation +id: b07e58cf-cacc-4135-8473-ccb2eba63dd2 +related: + - id: e7a21b5f-d8c4-4ae5-b8d9-93c5d3f28e1c # Suspicious DNS Query Indicating Kerberos Coercion via DNS Object Spoofing + type: similar + - id: 5588576c-5898-4fac-bcdd-7475a60e8f43 # Suspicious DNS Query Indicating Kerberos Coercion via DNS Object Spoofing - Network + type: similar +status: experimental +description: | + Detects modifications to DNS records in Active Directory where the Distinguished Name (DN) contains a base64-encoded blob + matching the pattern "1UWhRCAAAAA...BAAAA". This pattern corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure, + commonly used in Kerberos coercion attacks. Adversaries may exploit this to coerce victim systems into authenticating to + attacker-controlled hosts by spoofing SPNs via DNS. It is one of the strong indicators of a Kerberos coercion attack,. + where adversaries manipulate DNS records to spoof Service Principal Names (SPNs) and redirect authentication requests like CVE-2025-33073. + Please investigate the user account that made the changes, as it is likely a low-privileged account that has been compromised. +references: + - https://googleprojectzero.blogspot.com/2021/10/using-kerberos-for-authentication-relay.html + - https://www.synacktiv.com/publications/ntlm-reflection-is-dead-long-live-ntlm-reflection-an-in-depth-analysis-of-cve-2025 +author: Swachchhanda Shrawan Poudel (Nextron Systems) +date: 2025-06-18 +tags: + - attack.credential-access + - attack.t1557.003 + - attack.persistence + - attack.privilege-escalation +logsource: + product: windows + service: security + definition: | + By default these events are not logged by default for MicrosoftDNS objects in Active Directory. + To enable detection, configure an AuditRule on the DNS object container with the "CreateChild" permission for the "Everyone" principal. + This can be accomplished using tools such as Set-AuditRule (see https://github.com/OTRF/Set-AuditRule). +detection: + selection_directory_service_changes: + EventID: + - 5136 + - 5137 + ObjectClass: 'dnsNode' + ObjectDN|contains|all: # ObjectDN">DC=foo-11UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA,DC=domain.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=com + - 'UWhRCA*BAA' + - 'CN=MicrosoftDNS' + selection_directory_service_access: + EventID: 4662 + AdditionalInfo|contains|all: # AdditionalInfo">DC=foo-11UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA,DC=domain.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=com + - 'UWhRCA*BAA' + - 'CN=MicrosoftDNS' + condition: 1 of selection_* +fields: + - SubjectUserName # It is important to check the AccountName field to identify the user, it is likely an low-privileged account that has been compromised. +falsepositives: + - Unknown +level: high diff --git a/rules/windows/dns_query/dns_query_win_kerberos_coercion_via_dns_object_spoofing.yml b/rules/windows/dns_query/dns_query_win_kerberos_coercion_via_dns_object_spoofing.yml new file mode 100644 index 00000000000..abfca2393e2 --- /dev/null +++ b/rules/windows/dns_query/dns_query_win_kerberos_coercion_via_dns_object_spoofing.yml @@ -0,0 +1,35 @@ +title: Suspicious DNS Query Indicating Kerberos Coercion via DNS Object SPN Spoofing +id: e7a21b5f-d8c4-4ae5-b8d9-93c5d3f28e1c +related: + - id: b07e58cf-cacc-4135-8473-ccb2eba63dd2 # Potential Kerberos Coercion via DNS Object Spoofing + type: similar + - id: 5588576c-5898-4fac-bcdd-7475a60e8f43 # Suspicious DNS Query Indicating Kerberos Coercion via DNS Object Spoofing - Network + type: similar +status: experimental +description: | + Detects DNS queries containing patterns associated with Kerberos coercion attacks via DNS object spoofing. + The pattern "1UWhRCAAAAA..BAAAA" is a base64-encoded signature that corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure. + Attackers can use this technique to coerce authentication from victim systems to attacker-controlled hosts. + It is one of the strong indicators of a Kerberos coercion attack, where adversaries manipulate DNS records + to spoof Service Principal Names (SPNs) and redirect authentication requests like CVE-2025-33073. +references: + - https://www.synacktiv.com/publications/ntlm-reflection-is-dead-long-live-ntlm-reflection-an-in-depth-analysis-of-cve-2025 + - https://googleprojectzero.blogspot.com/2021/10/using-kerberos-for-authentication-relay.html +author: Swachchhanda Shrawan Poudel +date: 2025-06-13 +tags: + - attack.credential-access + - attack.persistence + - attack.privilege-escalation + - attack.t1557.001 + - attack.t1187 +logsource: + product: windows + category: dns_query +detection: + selection: + QueryName|contains: 'UWhRCA*BAA' + condition: selection +falsepositives: + - Unknown +level: high From ccda043fd3e9c3fca3d467e608c326263b157e3c Mon Sep 17 00:00:00 2001 From: swachchhanda000 Date: Fri, 20 Jun 2025 11:52:13 +0545 Subject: [PATCH 2/7] feat: some changes --- ...s_coercion_via_dns_object_spn_spoofing.yml | 2 +- ...urity_kerberos_coercion_via_dns_object.yml | 4 ++- ...beros_coercion_via_dns_object_spoofing.yml | 6 ++-- ...kerberos_coercion_via_dns_spn_spoofing.yml | 33 +++++++++++++++++++ 4 files changed, 40 insertions(+), 5 deletions(-) create mode 100644 rules/windows/process_creation/proc_creation_win_kerberos_coercion_via_dns_spn_spoofing.yml diff --git a/rules/network/zeek/zeek_dns_kerberos_coercion_via_dns_object_spn_spoofing.yml b/rules/network/zeek/zeek_dns_kerberos_coercion_via_dns_object_spn_spoofing.yml index aeb4bc5bc3b..d36737ef67f 100644 --- a/rules/network/zeek/zeek_dns_kerberos_coercion_via_dns_object_spn_spoofing.yml +++ b/rules/network/zeek/zeek_dns_kerberos_coercion_via_dns_object_spn_spoofing.yml @@ -16,7 +16,7 @@ references: - https://www.synacktiv.com/publications/ntlm-reflection-is-dead-long-live-ntlm-reflection-an-in-depth-analysis-of-cve-2025 - https://googleprojectzero.blogspot.com/2021/10/using-kerberos-for-authentication-relay.html author: Swachchhanda Shrawan Poudel -date: 2025-06-13 +date: 2025-06-20 tags: - attack.credential-access - attack.persistence diff --git a/rules/windows/builtin/security/win_security_kerberos_coercion_via_dns_object.yml b/rules/windows/builtin/security/win_security_kerberos_coercion_via_dns_object.yml index 992dd6d92ac..de19ac8bc09 100644 --- a/rules/windows/builtin/security/win_security_kerberos_coercion_via_dns_object.yml +++ b/rules/windows/builtin/security/win_security_kerberos_coercion_via_dns_object.yml @@ -5,6 +5,8 @@ related: type: similar - id: 5588576c-5898-4fac-bcdd-7475a60e8f43 # Suspicious DNS Query Indicating Kerberos Coercion via DNS Object Spoofing - Network type: similar + - id: 0ed99dda-6a35-11ef-8c99-0242ac120002 # Kerberos Coercion Via DNS SPN Spoofing Attempt + type: similar status: experimental description: | Detects modifications to DNS records in Active Directory where the Distinguished Name (DN) contains a base64-encoded blob @@ -17,7 +19,7 @@ references: - https://googleprojectzero.blogspot.com/2021/10/using-kerberos-for-authentication-relay.html - https://www.synacktiv.com/publications/ntlm-reflection-is-dead-long-live-ntlm-reflection-an-in-depth-analysis-of-cve-2025 author: Swachchhanda Shrawan Poudel (Nextron Systems) -date: 2025-06-18 +date: 2025-06-20 tags: - attack.credential-access - attack.t1557.003 diff --git a/rules/windows/dns_query/dns_query_win_kerberos_coercion_via_dns_object_spoofing.yml b/rules/windows/dns_query/dns_query_win_kerberos_coercion_via_dns_object_spoofing.yml index abfca2393e2..6e3f02d4f79 100644 --- a/rules/windows/dns_query/dns_query_win_kerberos_coercion_via_dns_object_spoofing.yml +++ b/rules/windows/dns_query/dns_query_win_kerberos_coercion_via_dns_object_spoofing.yml @@ -3,20 +3,20 @@ id: e7a21b5f-d8c4-4ae5-b8d9-93c5d3f28e1c related: - id: b07e58cf-cacc-4135-8473-ccb2eba63dd2 # Potential Kerberos Coercion via DNS Object Spoofing type: similar - - id: 5588576c-5898-4fac-bcdd-7475a60e8f43 # Suspicious DNS Query Indicating Kerberos Coercion via DNS Object Spoofing - Network + - id: 5588576c-5898-4fac-bcdd-7475a60e8f43 # Suspicious DNS Query Indicating Kerberos Coercion via DNS Object Spoofing - Network type: similar status: experimental description: | Detects DNS queries containing patterns associated with Kerberos coercion attacks via DNS object spoofing. The pattern "1UWhRCAAAAA..BAAAA" is a base64-encoded signature that corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure. Attackers can use this technique to coerce authentication from victim systems to attacker-controlled hosts. - It is one of the strong indicators of a Kerberos coercion attack, where adversaries manipulate DNS records + It is one of the strong indicators of a Kerberos coercion attack, where adversaries manipulate DNS records to spoof Service Principal Names (SPNs) and redirect authentication requests like CVE-2025-33073. references: - https://www.synacktiv.com/publications/ntlm-reflection-is-dead-long-live-ntlm-reflection-an-in-depth-analysis-of-cve-2025 - https://googleprojectzero.blogspot.com/2021/10/using-kerberos-for-authentication-relay.html author: Swachchhanda Shrawan Poudel -date: 2025-06-13 +date: 2025-06-20 tags: - attack.credential-access - attack.persistence diff --git a/rules/windows/process_creation/proc_creation_win_kerberos_coercion_via_dns_spn_spoofing.yml b/rules/windows/process_creation/proc_creation_win_kerberos_coercion_via_dns_spn_spoofing.yml new file mode 100644 index 00000000000..039bbc4aac7 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_kerberos_coercion_via_dns_spn_spoofing.yml @@ -0,0 +1,33 @@ +title: Attempts of Kerberos Coercion Via DNS SPN Spoofing +id: 0ed99dda-6a35-11ef-8c99-0242ac120002 +related: + - id: b07e58cf-cacc-4135-8473-ccb2eba63dd2 + type: similar +status: experimental +description: | + Detects the presence of "UWhRC....AAYBAAAA" pattern in command line. + The pattern "1UWhRCAAAAA..BAAAA" is a base64-encoded signature that corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure. + Attackers can use this technique to coerce authentication from victim systems to attacker-controlled hosts. + It is one of the strong indicators of a Kerberos coercion attack, where adversaries manipulate DNS records + to spoof Service Principal Names (SPNs) and redirect authentication requests like in CVE-2025-33073. +references: + - https://www.synacktiv.com/publications/ntlm-reflection-is-dead-long-live-ntlm-reflection-an-in-depth-analysis-of-cve-2025 + - https://googleprojectzero.blogspot.com/2021/10/using-kerberos-for-authentication-relay.html +author: Swachchhanda Shrawan Poudel (Nextron Systems) +date: 2025-06-20 +tags: + - attack.credential-access + - attack.persistence + - attack.privilege-escalation + - attack.t1557.001 + - attack.t1187 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains: 'UWhRCA*BAAAA' + condition: selection +falsepositives: + - Unknown +level: high \ No newline at end of file From 8437c2db2528525c4d8c8c65fb80bb09ca759b6e Mon Sep 17 00:00:00 2001 From: swachchhanda000 Date: Fri, 20 Jun 2025 11:52:29 +0545 Subject: [PATCH 3/7] fix: typo --- ...proc_creation_win_kerberos_coercion_via_dns_spn_spoofing.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_kerberos_coercion_via_dns_spn_spoofing.yml b/rules/windows/process_creation/proc_creation_win_kerberos_coercion_via_dns_spn_spoofing.yml index 039bbc4aac7..c0433526a20 100644 --- a/rules/windows/process_creation/proc_creation_win_kerberos_coercion_via_dns_spn_spoofing.yml +++ b/rules/windows/process_creation/proc_creation_win_kerberos_coercion_via_dns_spn_spoofing.yml @@ -5,7 +5,7 @@ related: type: similar status: experimental description: | - Detects the presence of "UWhRC....AAYBAAAA" pattern in command line. + Detects the presence of "UWhRC....AAYBAAAA" pattern in command line. The pattern "1UWhRCAAAAA..BAAAA" is a base64-encoded signature that corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure. Attackers can use this technique to coerce authentication from victim systems to attacker-controlled hosts. It is one of the strong indicators of a Kerberos coercion attack, where adversaries manipulate DNS records From 315640795dce0ca39beaadb4d63fbefe43de3304 Mon Sep 17 00:00:00 2001 From: swachchhanda000 Date: Fri, 20 Jun 2025 12:00:47 +0545 Subject: [PATCH 4/7] fix: no new line at the end --- ...oc_creation_win_kerberos_coercion_via_dns_spn_spoofing.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_kerberos_coercion_via_dns_spn_spoofing.yml b/rules/windows/process_creation/proc_creation_win_kerberos_coercion_via_dns_spn_spoofing.yml index c0433526a20..60511233041 100644 --- a/rules/windows/process_creation/proc_creation_win_kerberos_coercion_via_dns_spn_spoofing.yml +++ b/rules/windows/process_creation/proc_creation_win_kerberos_coercion_via_dns_spn_spoofing.yml @@ -10,6 +10,8 @@ description: | Attackers can use this technique to coerce authentication from victim systems to attacker-controlled hosts. It is one of the strong indicators of a Kerberos coercion attack, where adversaries manipulate DNS records to spoof Service Principal Names (SPNs) and redirect authentication requests like in CVE-2025-33073. + If you see this pattern in the command line, it is likely an attempt to add spoofed Service Principal Names (SPNs) to DNS records, + or checking for the presence of such records through the `nslookup` command. references: - https://www.synacktiv.com/publications/ntlm-reflection-is-dead-long-live-ntlm-reflection-an-in-depth-analysis-of-cve-2025 - https://googleprojectzero.blogspot.com/2021/10/using-kerberos-for-authentication-relay.html @@ -30,4 +32,4 @@ detection: condition: selection falsepositives: - Unknown -level: high \ No newline at end of file +level: high From 80b4a2412c1a13f343bcbfdac54e4a7aa7ce03f0 Mon Sep 17 00:00:00 2001 From: swachchhanda000 Date: Fri, 20 Jun 2025 12:22:45 +0545 Subject: [PATCH 5/7] update: author --- .../zeek_dns_kerberos_coercion_via_dns_object_spn_spoofing.yml | 2 +- .../dns_query_win_kerberos_coercion_via_dns_object_spoofing.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/network/zeek/zeek_dns_kerberos_coercion_via_dns_object_spn_spoofing.yml b/rules/network/zeek/zeek_dns_kerberos_coercion_via_dns_object_spn_spoofing.yml index d36737ef67f..61ee3853feb 100644 --- a/rules/network/zeek/zeek_dns_kerberos_coercion_via_dns_object_spn_spoofing.yml +++ b/rules/network/zeek/zeek_dns_kerberos_coercion_via_dns_object_spn_spoofing.yml @@ -15,7 +15,7 @@ description: | references: - https://www.synacktiv.com/publications/ntlm-reflection-is-dead-long-live-ntlm-reflection-an-in-depth-analysis-of-cve-2025 - https://googleprojectzero.blogspot.com/2021/10/using-kerberos-for-authentication-relay.html -author: Swachchhanda Shrawan Poudel +author: Swachchhanda Shrawan Poudel (Nextron Systems) date: 2025-06-20 tags: - attack.credential-access diff --git a/rules/windows/dns_query/dns_query_win_kerberos_coercion_via_dns_object_spoofing.yml b/rules/windows/dns_query/dns_query_win_kerberos_coercion_via_dns_object_spoofing.yml index 6e3f02d4f79..5ac5d9b4489 100644 --- a/rules/windows/dns_query/dns_query_win_kerberos_coercion_via_dns_object_spoofing.yml +++ b/rules/windows/dns_query/dns_query_win_kerberos_coercion_via_dns_object_spoofing.yml @@ -15,7 +15,7 @@ description: | references: - https://www.synacktiv.com/publications/ntlm-reflection-is-dead-long-live-ntlm-reflection-an-in-depth-analysis-of-cve-2025 - https://googleprojectzero.blogspot.com/2021/10/using-kerberos-for-authentication-relay.html -author: Swachchhanda Shrawan Poudel +author: Swachchhanda Shrawan Poudel (Nextron Systems) date: 2025-06-20 tags: - attack.credential-access From 29be87ea91c4317c80de8dd5463220134103aed7 Mon Sep 17 00:00:00 2001 From: swachchhanda000 Date: Tue, 8 Jul 2025 14:25:39 +0545 Subject: [PATCH 6/7] fix: query logic change --- ...ek_dns_kerberos_coercion_via_dns_object_spn_spoofing.yml | 4 +++- .../win_security_kerberos_coercion_via_dns_object.yml | 6 ++++-- ..._query_win_kerberos_coercion_via_dns_object_spoofing.yml | 4 +++- ..._creation_win_kerberos_coercion_via_dns_spn_spoofing.yml | 4 +++- 4 files changed, 13 insertions(+), 5 deletions(-) diff --git a/rules/network/zeek/zeek_dns_kerberos_coercion_via_dns_object_spn_spoofing.yml b/rules/network/zeek/zeek_dns_kerberos_coercion_via_dns_object_spn_spoofing.yml index 61ee3853feb..65f501755a2 100644 --- a/rules/network/zeek/zeek_dns_kerberos_coercion_via_dns_object_spn_spoofing.yml +++ b/rules/network/zeek/zeek_dns_kerberos_coercion_via_dns_object_spn_spoofing.yml @@ -28,7 +28,9 @@ logsource: service: dns detection: selection: - query|contains: 'UWhRCA*BAA' + query|contains|all: + - 'UWhRCA' # Follows this pattern UWhRCAAAAA..BAAA + - 'BAAAA' condition: selection falsepositives: - Unknown diff --git a/rules/windows/builtin/security/win_security_kerberos_coercion_via_dns_object.yml b/rules/windows/builtin/security/win_security_kerberos_coercion_via_dns_object.yml index de19ac8bc09..5ff688de15a 100644 --- a/rules/windows/builtin/security/win_security_kerberos_coercion_via_dns_object.yml +++ b/rules/windows/builtin/security/win_security_kerberos_coercion_via_dns_object.yml @@ -39,12 +39,14 @@ detection: - 5137 ObjectClass: 'dnsNode' ObjectDN|contains|all: # ObjectDN">DC=foo-11UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA,DC=domain.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=com - - 'UWhRCA*BAA' + - 'UWhRCA' + - 'BAAAA' - 'CN=MicrosoftDNS' selection_directory_service_access: EventID: 4662 AdditionalInfo|contains|all: # AdditionalInfo">DC=foo-11UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA,DC=domain.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=com - - 'UWhRCA*BAA' + - 'UWhRCA' + - 'BAAAA' - 'CN=MicrosoftDNS' condition: 1 of selection_* fields: diff --git a/rules/windows/dns_query/dns_query_win_kerberos_coercion_via_dns_object_spoofing.yml b/rules/windows/dns_query/dns_query_win_kerberos_coercion_via_dns_object_spoofing.yml index 5ac5d9b4489..8424731df9c 100644 --- a/rules/windows/dns_query/dns_query_win_kerberos_coercion_via_dns_object_spoofing.yml +++ b/rules/windows/dns_query/dns_query_win_kerberos_coercion_via_dns_object_spoofing.yml @@ -28,7 +28,9 @@ logsource: category: dns_query detection: selection: - QueryName|contains: 'UWhRCA*BAA' + QueryName|contains|all: + - 'UWhRCA' + - 'BAAAA' condition: selection falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_kerberos_coercion_via_dns_spn_spoofing.yml b/rules/windows/process_creation/proc_creation_win_kerberos_coercion_via_dns_spn_spoofing.yml index 60511233041..e0dbb4b394e 100644 --- a/rules/windows/process_creation/proc_creation_win_kerberos_coercion_via_dns_spn_spoofing.yml +++ b/rules/windows/process_creation/proc_creation_win_kerberos_coercion_via_dns_spn_spoofing.yml @@ -28,7 +28,9 @@ logsource: product: windows detection: selection: - CommandLine|contains: 'UWhRCA*BAAAA' + CommandLine|contains: + - 'UWhRCA' + - 'BAAAA' condition: selection falsepositives: - Unknown From e1d628c7ff50d249900d5a1db7967c13315f56fe Mon Sep 17 00:00:00 2001 From: swachchhanda000 Date: Tue, 8 Jul 2025 14:28:36 +0545 Subject: [PATCH 7/7] fix: typo --- ...proc_creation_win_kerberos_coercion_via_dns_spn_spoofing.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_kerberos_coercion_via_dns_spn_spoofing.yml b/rules/windows/process_creation/proc_creation_win_kerberos_coercion_via_dns_spn_spoofing.yml index e0dbb4b394e..17815d5c17f 100644 --- a/rules/windows/process_creation/proc_creation_win_kerberos_coercion_via_dns_spn_spoofing.yml +++ b/rules/windows/process_creation/proc_creation_win_kerberos_coercion_via_dns_spn_spoofing.yml @@ -28,7 +28,7 @@ logsource: product: windows detection: selection: - CommandLine|contains: + CommandLine|contains|all: - 'UWhRCA' - 'BAAAA' condition: selection