This rule identifies potentially malicious DNS queries that contain a base64-encoded blob which corresponds to a credential-related data structure used in Kerberos authentication. The pattern 'UWhRCA...BAAAA' is indicative of attacks that exploit Service Principal Name (SPN) spoofing through DNS, typically involving coercion attacks where adversaries manipulate victim systems into sending Kerberos authentication requests to attacker-controlled hosts. Such activities can lead to NTLM reflection attacks, allowing attackers to leverage the authentication processes of the victim systems for unauthorized access. During an investigation, security teams should focus on identifying the source of the DNS query, any resolved IP addresses, and conduct a thorough analysis to determine if manipulations were successful. The incident response should involve reviewing DNS records for malicious payloads and applying containment measures to affected systems.