This detection rule identifies suspicious DNS queries that may indicate Kerberos coercion attacks using DNS object spoofing. The rule specifically looks for DNS queries containing a unique base64-encoded signature: '1UWhRCAAAAA..BAAAA', which is associated with the CREDENTIAL_TARGET_INFORMATION structure. Adversaries utilizing this method aim to redirect authentication requests from victim systems to attacker-controlled hosts by manipulating DNS records to spoof Service Principal Names (SPNs). Such techniques are a critical component of certain attacks, including those taking advantage of vulnerabilities like CVE-2025-33073. The rule is designed to trigger on the presence of the defined patterns in DNS queries, thus providing an opportunity for security teams to investigate potential compromises. It is categorized as high severity and labeled as experimental, indicating the ongoing refinement of its detection capabilities.