The "DNS Kerberos Coercion" rule aims to detect sophisticated DNS-based attacks that involve adversaries injecting marshaled credential structures into DNS records to manipulate Service Principal Names (SPNs) and reroute authentication processes. This specific approach to attack can exploit vulnerabilities as exemplified by CVE-2025-33073. The detection methodology employs Suricata to monitor for specific characteristics of CREDENTIAL_TARGET_INFORMATION structures amidst DNS queries, particularly focusing on unusual patterns that would indicate an attempt at Kerberos coercion. This rule effectively utilizes the Splunk platform to create dynamic queries that analyze DNS traffic, enabling security professionals to pinpoint potential coercion attempts by filtering relevant DNS query attributes such as the source and destination. Implementation requires proper configuration for the collection of DNS data within the Network_Resolution data model, ensuring comprehensive coverage of relevant events. Organizations are advised to consider context-specific filtering to minimize potential false positives, given the uncommon nature of the specific structures associated with this attack.