Back to Blog
ADCSMay 5, 20265 min read

Detecting ADCS Abuse with Windows Event IDs: A Blue Team Reference

IP
InsecurePlanet Research
PKI & ADCS Security
Executive Summary

Detecting ADCS abuse requires specific audit logging configuration and knowledge of which Event IDs correspond to which attack techniques. This reference maps the most important ADCS Event IDs to their corresponding attack techniques and provides SIEM query templates for each.

Enabling ADCS Audit Logging

ADCS audit logging is not enabled by default. Run the following command on each CA server to enable full audit logging, then restart the CertSvc service:

# Enable all ADCS audit categories
certutil -setreg CA\AuditFilter 127
net stop certsvc && net start certsvc

# Verify audit logging is enabled
certutil -getreg CA\AuditFilter

Key Event IDs for ADCS Detection

The following Event IDs are generated by ADCS operations and are relevant for detecting abuse:

  • Event 4886 — Certificate Services received a certificate request. Log all instances; alert on requests for sensitive templates (DomainController, SmartCardLogon) from unexpected hosts.
  • Event 4887 — Certificate Services approved and issued a certificate. Correlate with 4886; alert on DC certificates issued to non-DC accounts.
  • Event 4888 — Certificate Services denied a certificate request. High volume may indicate enumeration or failed exploitation attempts.
  • Event 4899 — A Certificate Services template was changed. Any instance should be investigated — template changes are rare in production.
  • Event 4900 — Certificate Services template security was updated. Correlate with 4899 for ACL modification attacks (ESC4).
  • Event 4768/4769 — Kerberos TGT/TGS requests using PKINIT. Alert on PKINIT authentication from unexpected accounts or hosts.

SIEM Query Templates

Example Splunk queries for key detection scenarios:

# Alert on DC certificate issuance to non-DC accounts
index=wineventlog EventCode=4887 
| search CertificateTemplate="DomainController" OR CertificateTemplate="DomainControllerAuthentication"
| where NOT match(RequesterName, ".*\\$")

# Alert on certificate template modifications
index=wineventlog EventCode=4899 OR EventCode=4900
| table _time, ComputerName, SubjectUserName, TemplateName
Why It Matters

ADCS abuse is difficult to detect without purpose-built logging and detection rules. Most SIEM deployments do not include ADCS Event IDs in their default rule sets. Adding these detection rules is low-effort and high-value — ADCS abuse is common, and these Event IDs provide clear, actionable signals.

Recommended Actions
  1. 1Enable ADCS audit logging on all CA servers immediately.
  2. 2Ingest ADCS Event IDs (4886, 4887, 4888, 4899, 4900) into your SIEM.
  3. 3Create alerts for DC certificate issuance to non-DC accounts.
  4. 4Create alerts for any certificate template modification (Event 4899/4900).
  5. 5Baseline normal certificate request volume and alert on significant deviations.
InsecurePlanet Take

ADCS audit logging is free, takes five minutes to enable, and provides the visibility needed to detect the most common ADCS attack techniques. There is no reason not to have it enabled. If you are reading this and your CA audit logging is not enabled, stop and enable it now.

ADCSDetectionBlue TeamEvent IDs
Sources & References

InsecurePlanet provides original technical analysis based on the sources listed below. This article does not claim facts beyond the cited source material.

Security Brief

Get articles like this weekly

PKI advisories, ADCS updates, CISA KEV coverage, and Patch Tuesday analysis — every week.

Subscribe free
Free Resource

ADCS Security Checklist

24-page checklist covering ESC1–ESC13, CA hardening, CDP/OCSP, and enrollment endpoint security.

Download free
Advisory Services

Enterprise PKI advisory and ADCS assessment services are in preparation. Subscribe for updates when engagements open.

Service Updates Coming Soon