[New Rules] SPN Spoofing / Coercion Rules (#4815)

w0rk3r · Samirbous · web-flow · commit 1f71191c853f · 2025-06-17T18:50:28.000-03:00
* [New Rules] SPN Spoofing / Coercion Rules

* Apply suggestions from code review

Co-authored-by: Samirbous &lt;64742097+Samirbous@users.noreply.github.com&gt;

* Update rules/windows/credential_access_kerberos_coerce.toml

* Update rules/windows/credential_access_kerberos_coerce_dns.toml

Co-authored-by: Samirbous &lt;64742097+Samirbous@users.noreply.github.com&gt;

* Update rules/windows/credential_access_kerberos_coerce.toml

Co-authored-by: Samirbous &lt;64742097+Samirbous@users.noreply.github.com&gt;

* .

* Update rules/windows/credential_access_kerberos_coerce_dns.toml

* Update rules/windows/credential_access_kerberos_coerce_dns.toml

* Update pyproject.toml

* missing tag

---------

Co-authored-by: Samirbous &lt;64742097+Samirbous@users.noreply.github.com&gt;
diff --git a/detection_rules/etc/non-ecs-schema.json b/detection_rules/etc/non-ecs-schema.json
@@ -13,6 +13,7 @@
         "AccessList": "keyword",
         "AccessMask": "keyword",
         "AccessMaskDescription": "keyword",
+        "AdditionalInfo": "keyword",
         "AllowedToDelegateTo": "keyword",
         "AttributeLDAPDisplayName": "keyword",
         "AttributeValue": "keyword",
diff --git a/pyproject.toml b/pyproject.toml
@@ -1,6 +1,6 @@
 [project]
 name = "detection_rules"
-version = "1.2.18"
+version = "1.2.19"
 description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine."
 readme = "README.md"
 requires-python = ">=3.12"
diff --git a/rules/windows/credential_access_kerberos_coerce.toml b/rules/windows/credential_access_kerberos_coerce.toml
@@ -0,0 +1,123 @@
+[metadata]
+creation_date = "2025/06/14"
+integration = ["system", "windows"]
+maturity = "production"
+updated_date = "2025/06/14"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies the creation of a DNS record containing a base64-encoded blob matching the pattern "UWhRCA...BAAAA". This
+pattern corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure, commonly used in Kerberos coercion attacks.
+It is associated with tools and techniques that exploit SPN spoofing via DNS. Adversaries may abuse this to coerce
+victim systems into authenticating to attacker-controlled hosts while requesting Kerberos tickets for legitimate
+services (often the victim's own identity). This enables reflective Kerberos relay attacks, potentially resulting in
+privileged access such as NT AUTHORITY\\SYSTEM, without relying on NTLM fallback.
+"""
+from = "now-9m"
+index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "Potential Kerberos Coercion via DNS-Based SPN Spoofing"
+note = """## Triage and analysis
+
+> **Disclaimer**:
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
+
+### Investigating Potential Kerberos Coercion via DNS-Based SPN Spoofing
+
+### Possible investigation steps
+
+- Review the event logs on the affected Windows host to confirm the presence of event code 5137, which indicates a directory service object modification.
+- Inspect the ObjectDN field to identify the full distinguished name of the created DNS record. Look for entries containing Base64-encoded segments matching UWhRCA...BAAAA, which are indicative of an embedded CREDENTIAL_TARGET_INFORMATION payload used in SPN spoofing.
+- Validate the associated user or computer account responsible for the DNS record creation. Investigate whether the account has legitimate administrative access to modify DNS zones or whether it may have been compromised.
+- Correlate with DNS query logs and network telemetry to determine if the suspicious DNS hostname was later queried or resolved by other hosts on the network. A match suggests the attacker moved forward with the coercion attempt.
+- Assess the permissions and access controls on the DNS zones to ensure they are appropriately configured and restrict unnecessary modifications by authenticated users.
+
+### False positive analysis
+
+- This activity is unlikely to happen legitimately.
+
+### Response and remediation
+
+- Review and remove the malicious DNS record containing the embedded CREDENTIAL_TARGET_INFORMATION Base64 payload (UWhRCA...BAAAA). Ensure that no additional coercion records exist in the same DNS zone.
+- Identify the source of the DNS modification by correlating the event with user context and host activity. Investigate whether the account used was compromised or misused.
+- Audit Kerberos ticket activity following the DNS record creation. Look for suspicious service ticket requests (Event ID 4769) or authentication attempts that could indicate a relay or privilege escalation attempt.
+- Temporarily isolate involved systems if signs of compromise or lateral movement are detected, especially if the record was successfully resolved and used for coercion.
+- Monitor network traffic for signs of Man-in-the-Middle activity, focusing on unusual DNS queries or redirections.
+- Escalate the incident to the security operations center (SOC) for further investigation and to assess the potential impact on other systems.
+"""
+references = [
+    "https://www.synacktiv.com/publications/ntlm-reflection-is-dead-long-live-ntlm-reflection-an-in-depth-analysis-of-cve-2025",
+    "https://blog.redteam-pentesting.de/2025/reflective-kerberos-relay-attack/",
+    "https://googleprojectzero.blogspot.com/2021/10/using-kerberos-for-authentication-relay.html",
+    "https://github.com/CICADA8-Research/RemoteKrbRelay/blob/main/README.md",
+    "https://github.com/Orange-Cyberdefense/ocd-mindmaps/blob/main/excalimap/mindmap/ad/authenticated.md",
+]
+risk_score = 73
+rule_id = "f701be14-0a36-4e9a-a851-b3e20ae55f09"
+setup = """## Setup
+
+The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).
+Steps to implement the logging policy with Advanced Audit Configuration:
+
+```
+Computer Configuration >
+Policies >
+Windows Settings >
+Security Settings >
+Advanced Audit Policies Configuration >
+Audit Policies >
+DS Access >
+Audit Directory Service Changes (Success,Failure)
+```
+
+The above policy does not cover the target object by default (we still need it to be configured to generate events), so we need to set up an AuditRule using https://github.com/OTRF/Set-AuditRule.
+
+```
+Set-AuditRule -AdObjectPath 'AD:\\CN=MicrosoftDNS,DC=DomainDNSZones,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights CreateChild -InheritanceFlags Descendents -AttributeGUID e0fa1e8c-9b45-11d0-afdd-00c04fd930c9 -AuditFlags Success
+```
+"""
+severity = "high"
+tags = [
+    "Domain: Endpoint",
+    "OS: Windows",
+    "Use Case: Threat Detection",
+    "Tactic: Credential Access",
+    "Data Source: Active Directory",
+    "Use Case: Active Directory Monitoring",
+    "Data Source: Windows Security Event Logs",
+    "Resources: Investigation Guide",
+]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+(event.code:4662 and winlog.event_data.AdditionalInfo: *UWhRC*BAAAA*MicrosoftDNS*) or 
+(event.code:5137 and winlog.event_data.ObjectDN: *UWhRC*BAAAA*MicrosoftDNS*)
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1557"
+name = "Adversary-in-the-Middle"
+reference = "https://attack.mitre.org/techniques/T1557/"
+[[rule.threat.technique.subtechnique]]
+id = "T1557.001"
+name = "LLMNR/NBT-NS Poisoning and SMB Relay"
+reference = "https://attack.mitre.org/techniques/T1557/001/"
+
+
+[[rule.threat.technique]]
+id = "T1187"
+name = "Forced Authentication"
+reference = "https://attack.mitre.org/techniques/T1187/"
+
+
+[rule.threat.tactic]
+id = "TA0006"
+name = "Credential Access"
+reference = "https://attack.mitre.org/tactics/TA0006/"
+
diff --git a/rules/windows/credential_access_kerberos_coerce_dns.toml b/rules/windows/credential_access_kerberos_coerce_dns.toml
@@ -0,0 +1,118 @@
+[metadata]
+creation_date = "2025/06/14"
+integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "crowdstrike"]
+maturity = "production"
+updated_date = "2025/06/14"
+
+[transform]
+[[transform.investigate]]
+label = "Show the related DNS events"
+providers = [
+  [
+    { excluded = false, field = "dns.question.name", queryType = "phrase", value = "{{dns.question.name}}", valueType = "string" }
+  ]
+]
+relativeFrom = "now-48h/h"
+relativeTo = "now"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies queries to a DNS record containing a base64-encoded blob matching the pattern "UWhRCA...BAAAA". This pattern
+corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure, commonly used in Kerberos coercion attacks. It is
+associated with tools and techniques that exploit SPN spoofing via DNS. Adversaries may abuse this to coerce victim
+systems into authenticating to attacker-controlled hosts while requesting Kerberos tickets for legitimate services
+(often the victim's own identity), enabling attacks such as NTLM reflection.
+"""
+from = "now-9m"
+index = [
+    "endgame-*",
+    "logs-crowdstrike.fdr*",
+    "logs-endpoint.events.network-*",
+    "logs-sentinel_one_cloud_funnel.*",
+    "logs-windows.sysmon_operational-*",
+]
+language = "eql"
+license = "Elastic License v2"
+name = "Potential Kerberos SPN Spoofing via Suspicious DNS Query"
+note = """## Triage and analysis
+
+### Investigating Potential Kerberos SPN Spoofing via Suspicious DNS Query
+
+> **Note**:
+> This investigation guide uses the [Investigate Markdown Plugin](https://www.elastic.co/guide/en/security/current/interactive-investigation-guides.html) introduced in Elastic Stack version 8.8.0. Older Elastic Stack versions will display unrendered Markdown in this guide.
+
+### Possible investigation steps
+
+- Identify the system that issued the DNS query for the suspicious hostname. Determine whether it is a server or an end user device. This technique is typically only relevant against server systems, but queries originating from workstations may indicate compromise or misuse.
+- Identify attacker-controlled system by getting the IP addresses (`dns.resolved_ip`) that this DNS query resolved to by looking for the related `lookup_result` events.
+    - $investigate_0
+- If this alert was triggered on a domain controller, escalate the investigation to involve the incident response team to determine the full scope of the breach as soon as possible.
+
+### False positive analysis
+
+- This activity is unlikely to happen legitimately.
+
+### Response and remediation
+
+- Review and remove malicious DNS records containing the embedded CREDENTIAL_TARGET_INFORMATION Base64 payload (UWhRCA...BAAAA). Ensure that no additional coercion records exist in the same DNS zone.
+- Isolate involved systems if signs of compromise or lateral movement are detected, especially if the record was successfully resolved and used for coercion.
+- Monitor network traffic for signs of Man-in-the-Middle activity, focusing on unusual DNS queries or redirections.
+- Escalate the incident to the security operations center (SOC) for further investigation and to assess the potential impact on other systems.
+- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.
+- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
+- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
+"""
+references = [
+    "https://www.synacktiv.com/publications/ntlm-reflection-is-dead-long-live-ntlm-reflection-an-in-depth-analysis-of-cve-2025",
+    "https://blog.redteam-pentesting.de/2025/reflective-kerberos-relay-attack/",
+    "https://googleprojectzero.blogspot.com/2021/10/using-kerberos-for-authentication-relay.html",
+    "https://github.com/CICADA8-Research/RemoteKrbRelay/blob/main/README.md",
+    "https://github.com/Orange-Cyberdefense/ocd-mindmaps/blob/main/excalimap/mindmap/ad/authenticated.md",
+]
+risk_score = 73
+rule_id = "99ac5005-8a9e-4625-a0af-5f7bb447204b"
+severity = "high"
+tags = [
+    "Domain: Endpoint",
+    "OS: Windows",
+    "Use Case: Threat Detection",
+    "Tactic: Credential Access",
+    "Data Source: Elastic Defend",
+    "Data Source: Elastic Endgame",
+    "Data Source: Crowdstrike",
+    "Data Source: SentinelOne",
+    "Data Source: Sysmon",
+    "Resources: Investigation Guide",
+]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+network where host.os.type == "windows" and dns.question.name : "*UWhRC*BAAAA*"
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1557"
+name = "Adversary-in-the-Middle"
+reference = "https://attack.mitre.org/techniques/T1557/"
+[[rule.threat.technique.subtechnique]]
+id = "T1557.001"
+name = "LLMNR/NBT-NS Poisoning and SMB Relay"
+reference = "https://attack.mitre.org/techniques/T1557/001/"
+
+
+[[rule.threat.technique]]
+id = "T1187"
+name = "Forced Authentication"
+reference = "https://attack.mitre.org/techniques/T1187/"
+
+
+[rule.threat.tactic]
+id = "TA0006"
+name = "Credential Access"
+reference = "https://attack.mitre.org/tactics/TA0006/"
+
