Event ID 4887 — Certificate Services approved a certificate request and issued a certificate.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Object Access → Certification Services
Collection Priority: Recommended (Microsoft-WEF, others)
Opcode: Info

Description

Certificate Services approved a certificate request and issued a certificate.

Message #

Certificate Services approved a certificate request and issued a certificate.
	
Request ID: %1
Requester: %2
Attributes: %3
Disposition: %4
SKI: %5
Subject: %6

Fields #

Name	Description
`RequestId` UnicodeString	Request ID
`Requester` UnicodeString	Requester
`Attributes` UnicodeString	Attributes
`Disposition` UnicodeString	Disposition
`SubjectKeyIdentifier` UnicodeString	SKI
`Subject` UnicodeString	Subject
`Request_ID` UnicodeString	—
`SKI` UnicodeString	—
`SubjectAlternativeName` UnicodeString	—
`CertificateTemplate` UnicodeString	—
`SerialNumber` UnicodeString	—
`AuthenticationService` UnicodeString	—
`AuthenticationLevel` UnicodeString	—
`DCOMorRPC` UnicodeString	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 4887,
    "version": 0,
    "level": 0,
    "task": 12805,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2026-03-13T23:08:24.177448+00:00",
    "event_record_id": 16623045,
    "correlation": {
      "ActivityID": "0D26E79C-B333-0001-07E8-260D33B3DC01"
    },
    "execution": {
      "process_id": 936,
      "thread_id": 7996
    },
    "channel": "Security",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "RequestId": "24",
    "Requester": "ludus\\domainadmin",
    "Attributes": "",
    "Disposition": "3",
    "SubjectKeyIdentifier": "9d 2a 4f df 25 5d c3 a7 d9 77 60 94 ce 67 60 01 e3 b3 d2 5a",
    "Subject": "CN=pending-test.ludus.domain"
  },
  "message": ""
}

Detection Patterns #

Security-Auditing Event ID 4768: A Kerberos authentication ticket (TGT) was requested.ANDEvent ID 4887: Certificate Services approved a certificate request and issued a certificate.

1 rule

Splunk

Windows Steal Authentication Certificates - ESC1 Authentication (source)

Steven Dick

Credential Access: Steal or Forge Authentication Certificates

Security-Auditing Event ID 4886: Certificate Services received a certificate request.ANDEvent ID 4887: Certificate Services approved a certificate request and issued a certificate.

1 rule

Splunk

Windows Steal Authentication Certificates - ESC1 Abuse (source)

Steven Dick

Detection Rules #

View all rules referencing this event →

Splunk # view in reference

Windows Steal Authentication Certificates Certificate Issued source: The following analytic identifies the issuance of a new certificate by Certificate Services - AD CS, detected via Event ID 4887. This event logs the requester user context, DNS hostname of the requesting machine, and the request time. Monitoring this activity is crucial as it can indicate potential misuse of authentication certificates. If confirmed malicious, an attacker could use the issued certificate to impersonate users, escalate privileges, or maintain persistence within the environment. This detection helps in identifying and correlating suspicious certificate-related activities for further investigation.

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4887
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4887