This detection rule targets DNS-based Kerberos coercion attacks, specifically aimed at identifying when adversaries inject marshaled credential structures into DNS records. The technique exploits vulnerabilities to spoof Service Principal Names (SPNs) and redirect authentication processes, linked to the vulnerability identified as CVE-2025-33073. By monitoring Windows Security Event Codes 5136, 5137, and 4662, the rule specifically looks for DNS events that contain certain CREDENTIAL_TARGET_INFORMATION entries indicative of such threats. The search logic incorporates these event codes, checking for specific characteristics in object class and distinguished name patterns that are likely associated with malicious activity. Overall, this detection aims to flag anomalous changes to DNS records that could signify an attestation manipulation attempt via Kerberos coercion.