This detection rule targets suspicious DNS queries that exhibit characteristics linked to Kerberos coercion attacks via DNS object spoofing. The primary detection mechanism is looking for a specific pattern in the DNS query—specifically the string "1UWhRCAAAAA..BAAAA"—which is a base64-encoded signature of the CREDENTIAL_TARGET_INFORMATION structure. Attackers often employ this technique to manipulate DNS records, effectively spoofing Service Principal Names (SPNs) to coerce victim systems into authenticating against attacker-controlled hosts. This rule serves as a critical alert for potential attempts resembling CVE-2025-33073, indicating a high potential risk to Kerberos authentication mechanisms. The level of alert generated by this rule is high, reflecting the serious nature of Kerberos coercion, which can lead to credential access and privilege escalation. The rule is classified under various attack tags related to credential access and persistence, illustrating its relevance in modern cyber threat landscapes.