This detection rule focuses on identifying potential Kerberos coercion attacks through the detection of a specific base64-encoded pattern in command lines. The pattern, which starts with 'UWhRC' and ends with 'BAAAA', is indicative of a marshaled `CREDENTIAL_TARGET_INFORMATION` structure, typically manipulated by attackers to coerce victim systems into authenticating against attacker-controlled hosts. This technique exploits vulnerabilities related to Service Principal Names (SPNs) and Domain Name System (DNS) records, allowing adversaries to redirect authentication requests. The rule monitors for command lines that include this pattern, particularly in conjunction with the use of nslookup commands, which are often employed to verify the presence of manipulated SPNs. The detection unit is categorized under process creation within the Windows environment, and it carries a high level of alert status due to the potential severity of a successful attack that leverages these tactics.