if prevalent in the environment, filter on events where the accountname and cn of the subject do not reference the same user

windows
sigma

Techniques

Sample rules

Certificate Use With No Strong Mapping

source: sigma
technicques:

Description

Detects a user certificate that was valid but could not be mapped to a user in a strong way (such as via explicit mapping, key trust mapping, or a SID) This could be a sign of exploitation of the elevation of privilege vulnerabilities (CVE-2022-34691, CVE-2022-26931, CVE-2022-26923) that can occur when the KDC allows certificate spoofing by not requiring a strong mapping. Events where the AccountName and CN of the Subject do not match, or where the CN ends in a dollar sign indicating a machine, may indicate certificate spoofing.

Detection logic

condition: selection
selection:
  EventID:
  - 39
  - 41
  Provider_Name: Kerberos-Key-Distribution-Center