This detection rule targets DNS-based Kerberos coercion attacks, which exploit vulnerabilities such as CVE-2025-33073 by hijacking authentication requests using maliciously crafted DNS records. It employs Sysmon event logs to capture process creation events that involve specific CREDENTIAL_TARGET_INFORMATION structures indicative of such attacks. The rule looks for processes with names matching patterns related to the injection technique (e.g., containing base64 encoded segments). The implementation mandates that logs from Endpoint Detection and Response (EDR) systems be correctly parsed and normalized within Splunk's Common Information Model (CIM) for effective detection capabilities. False positives are probable due to legitimate usage of similar commands; thus, custom filtering is recommended. Known references provide further insights into NTLM and Kerberos security risks.