← Library
kqlElastic-2.0from elastic/detection-rules

Potential Kerberos Coercion via DNS-Based SPN Spoofing

Quality
92
FP risk
Forks
0
Views
0
ATT&CK techniques
T1187T1557T1557.001
Rule sourcerules/windows/credential_access_kerberos_coerce.toml
host.os.type:"windows" and
(
  (event.code:4662 and winlog.event_data.AdditionalInfo: *UWhRC*BAAAA*MicrosoftDNS*) or 
  (event.code:5137 and winlog.event_data.ObjectDN: *UWhRC*BAAAA*MicrosoftDNS*)
)