This rule detects potential Kerberos coercion attacks through DNS manipulation, where attackers spoof Service Principal Names (SPNs) to redirect authentication attempts. In these scenarios, adversaries exploit DNS records in Active Directory containing a specific base64-encoded blob indicative of the CREDENTIAL_TARGET_INFORMATION structure, commonly utilized in such attacks. The detection mechanism relies on monitoring Active Directory changes specifically related to DNS records. Unlike standard logging practices, these event types are not logged by default for Microsoft DNS objects, necessitating pre-configuration of audit rules on relevant DNS object containers to capture necessary events. The detection logic identifies changes to DNS nodes and accesses that match criteria indicating potential coercion tactics.