Detecting ADCS Abuse with Windows Event IDs: A Blue Team Reference
Detecting ADCS abuse requires specific audit logging configuration and knowledge of which Event IDs correspond to which attack techniques. This reference maps the most important ADCS Event IDs to their corresponding attack techniques and provides SIEM query templates for each.
Enabling ADCS Audit Logging
ADCS audit logging is not enabled by default. Run the following command on each CA server to enable full audit logging, then restart the CertSvc service:
# Enable all ADCS audit categories certutil -setreg CA\AuditFilter 127 net stop certsvc && net start certsvc # Verify audit logging is enabled certutil -getreg CA\AuditFilter
Key Event IDs for ADCS Detection
The following Event IDs are generated by ADCS operations and are relevant for detecting abuse:
- Event 4886 — Certificate Services received a certificate request. Log all instances; alert on requests for sensitive templates (DomainController, SmartCardLogon) from unexpected hosts.
- Event 4887 — Certificate Services approved and issued a certificate. Correlate with 4886; alert on DC certificates issued to non-DC accounts.
- Event 4888 — Certificate Services denied a certificate request. High volume may indicate enumeration or failed exploitation attempts.
- Event 4899 — A Certificate Services template was changed. Any instance should be investigated — template changes are rare in production.
- Event 4900 — Certificate Services template security was updated. Correlate with 4899 for ACL modification attacks (ESC4).
- Event 4768/4769 — Kerberos TGT/TGS requests using PKINIT. Alert on PKINIT authentication from unexpected accounts or hosts.
SIEM Query Templates
Example Splunk queries for key detection scenarios:
# Alert on DC certificate issuance to non-DC accounts index=wineventlog EventCode=4887 | search CertificateTemplate="DomainController" OR CertificateTemplate="DomainControllerAuthentication" | where NOT match(RequesterName, ".*\\$") # Alert on certificate template modifications index=wineventlog EventCode=4899 OR EventCode=4900 | table _time, ComputerName, SubjectUserName, TemplateName
ADCS abuse is difficult to detect without purpose-built logging and detection rules. Most SIEM deployments do not include ADCS Event IDs in their default rule sets. Adding these detection rules is low-effort and high-value — ADCS abuse is common, and these Event IDs provide clear, actionable signals.
- 1Enable ADCS audit logging on all CA servers immediately.
- 2Ingest ADCS Event IDs (4886, 4887, 4888, 4899, 4900) into your SIEM.
- 3Create alerts for DC certificate issuance to non-DC accounts.
- 4Create alerts for any certificate template modification (Event 4899/4900).
- 5Baseline normal certificate request volume and alert on significant deviations.
ADCS audit logging is free, takes five minutes to enable, and provides the visibility needed to detect the most common ADCS attack techniques. There is no reason not to have it enabled. If you are reading this and your CA audit logging is not enabled, stop and enable it now.
InsecurePlanet provides original technical analysis based on the sources listed below. This article does not claim facts beyond the cited source material.
