Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

Certificate Use With No Strong Mapping

Detects a user certificate that was valid but could not be mapped to a user in a strong way (such as via explicit mapping, key trust mapping, or a SID) This could be a sign of exploitation of the elevation of privilege vulnerabilities (CVE-2022-34691, CVE-2022-26931, CVE-2022-26923) that can occur when the KDC allows certificate spoofing by not requiring a strong mapping. Events where the AccountName and CN of the Subject do not match, or where the CN ends in a dollar sign indicating a machine, may indicate certificate spoofing.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
@br4dy5Created Mon Oct 09Updated Mon Sep 22993c2665-e6ef-40e3-a62a-e1a97686af79windows
Log Source
Windowssystem
ProductWindows← raw: windows
Servicesystem← raw: system
Detection Logic
Detection Logic1 selector
detection:
    selection:
        Provider_Name:
            - 'Kerberos-Key-Distribution-Center'
            - 'Microsoft-Windows-Kerberos-Key-Distribution-Center'
        EventID:
            - 39
            - 41 # For Windows Server 2008 R2 SP1 and Windows Server 2008 SP2
    condition: selection
False Positives

If prevalent in the environment, filter on events where the AccountName and CN of the Subject do not reference the same user

If prevalent in the environment, filter on CNs that end in a dollar sign indicating it is a machine name

References
1
Resolving title…
support.microsoft.com
MITRE ATT&CK
Rule Metadata
Rule ID
993c2665-e6ef-40e3-a62a-e1a97686af79
Status
test
Level
medium
Type
Detection
Created
Mon Oct 09
Modified
Mon Sep 22
Author
@br4dy5
Path
rules/windows/builtin/system/microsoft_windows_kerberos_key_distribution_center/win_system_kdcsvc_cert_use_no_strong_mapping.yml
Raw Tags
attack.privilege-escalation
View on GitHub