This detection rule identifies the creation of a DNS record containing a base64-encoded blob matching the pattern "UWhRCA...BAAAA", which correlates with a marshaled CREDENTIAL_TARGET_INFORMATION structure typical of Kerberos coercion attacks. Such attacks can take place through Service Principal Name (SPN) spoofing via DNS manipulation, where an attacker can coerce victim systems into authenticating to malicious hosts, ultimately leading to reflective Kerberos relay attacks. This can grant the attacker privileged access without the need for NTLM fallback. The rule is defined for security monitoring in Windows environments and requires specific logging policies for effective detection. The investigation steps include reviewing event logs relating to DNS modifications, validating user permissions, and monitoring for unusual Kerberos ticket requests. It has a high risk score and includes references to external resources for further understanding of related attacks.