Event ID 4886 — Certificate Services received a certificate request.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Object Access → Certification Services
Collection Priority: Recommended (Microsoft-WEF, others)
Opcode: Info

Description

Certificate Services received a certificate request.

Message #

Certificate Services received a certificate request.
	
Request ID: %1
Requester: %2
Attributes: %3

Fields #

Name	Description
`RequestId` UnicodeString	Request ID
`Requester` UnicodeString	Requester
`Attributes` UnicodeString	Attributes
`Request_ID` UnicodeString	—
`Subject` UnicodeString	—
`SubjectAlternativeName` UnicodeString	—
`CertificateTemplate` UnicodeString	—
`RequestOSVersion` UnicodeString	—
`RequestCSPProvider` UnicodeString	—
`RequestClientInfo` UnicodeString	—
`AuthenticationService` UnicodeString	—
`AuthenticationLevel` UnicodeString	—
`DCOMorRPC` UnicodeString	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 4886,
    "version": 0,
    "level": 0,
    "task": 12805,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2026-03-13T23:08:24.051496+00:00",
    "event_record_id": 16623040,
    "correlation": {
      "ActivityID": "0D26E79C-B333-0001-07E8-260D33B3DC01"
    },
    "execution": {
      "process_id": 936,
      "thread_id": 10928
    },
    "channel": "Security",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "RequestId": "24",
    "Requester": "ludus\\domainadmin",
    "Attributes": "\nccm:LAB-DC01.ludus.domain"
  },
  "message": ""
}

Detection Patterns #

Credential Access: Steal or Forge Authentication Certificates

Security-Auditing Event ID 4886: Certificate Services received a certificate request.ANDEvent ID 4887: Certificate Services approved a certificate request and issued a certificate.

1 rule

Splunk

Windows Steal Authentication Certificates - ESC1 Abuse (source)

Steven Dick

Detection Rules #

View all rules referencing this event →

Splunk # view in reference

Windows Steal Authentication Certificates Certificate Request source: The following analytic detects when a new certificate is requested from Certificate Services - AD CS. It leverages Event ID 4886, which indicates that a certificate request has been received. This activity is significant because unauthorized certificate requests can be part of credential theft or lateral movement tactics. If confirmed malicious, an attacker could use the certificate to impersonate users, gain unauthorized access to resources, or establish persistent access within the environment. Monitoring and correlating this event with other suspicious activities is crucial for identifying potential security incidents.

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4886
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4886