This rule detects instances where a user certificate that is valid cannot be strongly mapped to a user account, potentially indicating exploitation of elevation of privilege vulnerabilities in a Windows environment. The vulnerabilities highlighted include CVE-2022-34691, CVE-2022-26931, and CVE-2022-26923, which relate to the Key Distribution Center (KDC) allowing certificate spoofing without strong mappings. The rule identifies events from the Kerberos Key Distribution Center with specific Event IDs (39, 41) where discrepancies between the AccountName and the Certificate Subject's Common Name (CN) are present. In particular, cases where the CN appears as a machine name (indicated by a dollar sign suffix) are of concern. A medium severity level is assigned to this rule, reflecting its potential impact if exploited. Users should filter out false positives based on expected naming conventions in their environment to enhance detection accuracy.