if prevalent in the environment, filter on cns that end in a dollar sign indicating it is a machine name

windows
sigma

Techniques

Sample rules

Certificate Use With No Strong Mapping

source: sigma
technicques:

Description

Detects a user certificate that was valid but could not be mapped to a user in a strong way (such as via explicit mapping, key trust mapping, or a SID) This could be a sign of exploitation of the elevation of privilege vulnerabilities (CVE-2022-34691, CVE-2022-26931, CVE-2022-26923) that can occur when the KDC allows certificate spoofing by not requiring a strong mapping. Events where the AccountName and CN of the Subject do not match, or where the CN ends in a dollar sign indicating a machine, may indicate certificate spoofing.

Detection logic

condition: selection
selection:
  EventID:
  - 39
  - 41
  Provider_Name: Kerberos-Key-Distribution-Center