Sigma rules for CVE-2025-3307
4 rules · scoped to cve · back to CVE-2025-3307
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: Suspicious DNS Query Indicating Kerberos Coercion via DNS Object SPN Spoofing - Network
id: 5588576c-5898-4fac-bcdd-7475a60e8f43
related:
- id: b07e58cf-cacc-4135-8473-ccb2eba63dd2 # Potential Kerberos Coercion via DNS Object Spoofing
type: similar
- id: e7a21b5f-d8c4-4ae5-b8d9-93c5d3f28e1c # Suspicious DNS Query Indicating Kerberos Coercion via DNS Object Spoofing
type: similar
status: experimental
description: |
Detects DNS queries containing patterns associated with Kerberos coercion attacks via DNS object spoofing.
The pattern "1UWhRCAAAAA..BAAAA" is a base64-encoded signature that corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure.
Attackers can use this technique to coerce authentication from victim systems to attacker-controlled hosts.
It is one of the strong indicators of a Kerberos coercion attack, where adversaries manipulate DNS records
to spoof Service Principal Names (SPNs) and redirect authentication requests like CVE-2025-33073.
references:
- https://www.synacktiv.com/publications/ntlm-reflection-is-dead-long-live-ntlm-reflection-an-in-depth-analysis-of-cve-2025
- https://googleprojectzero.blogspot.com/2021/10/using-kerberos-for-authentication-relay.html
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-06-20
tags:
- attack.collection
- attack.credential-access
- attack.persistence
- attack.privilege-escalation
- attack.t1557.001
- attack.t1187
logsource:
product: zeek
service: dns
detection:
selection:
query|contains|all:
- 'UWhRCA' # Follows this pattern UWhRCAAAAA..BAAA
- 'BAAAA'
condition: selection
falsepositives:
- Unknown
level: high
title: Suspicious DNS Query Indicating Kerberos Coercion via DNS Object SPN Spoofing
id: e7a21b5f-d8c4-4ae5-b8d9-93c5d3f28e1c
related:
- id: b07e58cf-cacc-4135-8473-ccb2eba63dd2 # Potential Kerberos Coercion via DNS Object Spoofing
type: similar
- id: 5588576c-5898-4fac-bcdd-7475a60e8f43 # Suspicious DNS Query Indicating Kerberos Coercion via DNS Object Spoofing - Network
type: similar
status: experimental
description: |
Detects DNS queries containing patterns associated with Kerberos coercion attacks via DNS object spoofing.
The pattern "1UWhRCAAAAA..BAAAA" is a base64-encoded signature that corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure.
Attackers can use this technique to coerce authentication from victim systems to attacker-controlled hosts.
It is one of the strong indicators of a Kerberos coercion attack, where adversaries manipulate DNS records
to spoof Service Principal Names (SPNs) and redirect authentication requests like CVE-2025-33073.
references:
- https://www.synacktiv.com/publications/ntlm-reflection-is-dead-long-live-ntlm-reflection-an-in-depth-analysis-of-cve-2025
- https://googleprojectzero.blogspot.com/2021/10/using-kerberos-for-authentication-relay.html
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-06-20
tags:
- attack.collection
- attack.credential-access
- attack.persistence
- attack.privilege-escalation
- attack.t1557.001
- attack.t1187
logsource:
product: windows
category: dns_query
detection:
selection:
QueryName|contains|all:
- 'UWhRCA'
- 'BAAAA'
condition: selection
falsepositives:
- Unknown
level: high
title: Attempts of Kerberos Coercion Via DNS SPN Spoofing
id: 0ed99dda-6a35-11ef-8c99-0242ac120002
related:
- id: b07e58cf-cacc-4135-8473-ccb2eba63dd2
type: similar
status: experimental
description: |
Detects the presence of "UWhRC....AAYBAAAA" pattern in command line.
The pattern "1UWhRCAAAAA..BAAAA" is a base64-encoded signature that corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure.
Attackers can use this technique to coerce authentication from victim systems to attacker-controlled hosts.
It is one of the strong indicators of a Kerberos coercion attack, where adversaries manipulate DNS records
to spoof Service Principal Names (SPNs) and redirect authentication requests like in CVE-2025-33073.
If you see this pattern in the command line, it is likely an attempt to add spoofed Service Principal Names (SPNs) to DNS records,
or checking for the presence of such records through the `nslookup` command.
references:
- https://www.synacktiv.com/publications/ntlm-reflection-is-dead-long-live-ntlm-reflection-an-in-depth-analysis-of-cve-2025
- https://googleprojectzero.blogspot.com/2021/10/using-kerberos-for-authentication-relay.html
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-06-20
tags:
- attack.collection
- attack.credential-access
- attack.persistence
- attack.privilege-escalation
- attack.t1557.001
- attack.t1187
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- 'UWhRCA'
- 'BAAAA'
condition: selection
falsepositives:
- Unknown
level: high
title: Potential Kerberos Coercion by Spoofing SPNs via DNS Manipulation
id: b07e58cf-cacc-4135-8473-ccb2eba63dd2
related:
- id: e7a21b5f-d8c4-4ae5-b8d9-93c5d3f28e1c # Suspicious DNS Query Indicating Kerberos Coercion via DNS Object Spoofing
type: similar
- id: 5588576c-5898-4fac-bcdd-7475a60e8f43 # Suspicious DNS Query Indicating Kerberos Coercion via DNS Object Spoofing - Network
type: similar
- id: 0ed99dda-6a35-11ef-8c99-0242ac120002 # Kerberos Coercion Via DNS SPN Spoofing Attempt
type: similar
status: experimental
description: |
Detects modifications to DNS records in Active Directory where the Distinguished Name (DN) contains a base64-encoded blob
matching the pattern "1UWhRCAAAAA...BAAAA". This pattern corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure,
commonly used in Kerberos coercion attacks. Adversaries may exploit this to coerce victim systems into authenticating to
attacker-controlled hosts by spoofing SPNs via DNS. It is one of the strong indicators of a Kerberos coercion attack,.
where adversaries manipulate DNS records to spoof Service Principal Names (SPNs) and redirect authentication requests like CVE-2025-33073.
Please investigate the user account that made the changes, as it is likely a low-privileged account that has been compromised.
references:
- https://googleprojectzero.blogspot.com/2021/10/using-kerberos-for-authentication-relay.html
- https://www.synacktiv.com/publications/ntlm-reflection-is-dead-long-live-ntlm-reflection-an-in-depth-analysis-of-cve-2025
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-06-20
tags:
- attack.collection
- attack.credential-access
- attack.t1557.003
- attack.persistence
- attack.privilege-escalation
logsource:
product: windows
service: security
definition: |
By default these events are not logged by default for MicrosoftDNS objects in Active Directory.
To enable detection, configure an AuditRule on the DNS object container with the "CreateChild" permission for the "Everyone" principal.
This can be accomplished using tools such as Set-AuditRule (see https://github.com/OTRF/Set-AuditRule).
detection:
selection_directory_service_changes:
EventID:
- 5136
- 5137
ObjectClass: 'dnsNode'
ObjectDN|contains|all: # ObjectDN">DC=foo-11UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA,DC=domain.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=com</Data>
- 'UWhRCA'
- 'BAAAA'
- 'CN=MicrosoftDNS'
selection_directory_service_access:
EventID: 4662
AdditionalInfo|contains|all: # AdditionalInfo">DC=foo-11UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA,DC=domain.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=com</Data>
- 'UWhRCA'
- 'BAAAA'
- 'CN=MicrosoftDNS'
condition: 1 of selection_*
falsepositives:
- Unknown
level: high