Event ID 4882 — The security permissions for Certificate Services changed.
Description
The security permissions for Certificate Services changed.
Message #
Fields #
| Name | Description |
|---|---|
SecuritySettings UnicodeString | — |
SubjectUserSid SID | — |
SubjectUserName UnicodeString | — |
SubjectDomainName UnicodeString | — |
SubjectLogonId HexInt64 | — |
Community Notes #
Records changes to a CA ACL, may indicate privilege escalation via addition of rogue accounts. Critical for detecting AD CS abuse.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4882
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4882