detection.wiki

Microsoft-Windows-Security-Auditing › Event 4898

Event ID 4898 — Certificate Services loaded a template.

Provider
Microsoft-Windows-Security-Auditing
Channel
Security
Audit Policy
Object Access → Certification Services
Collection Priority
Recommended (Microsoft-WEF, others)
Opcode
Info

Description

Certificate Services loaded a template.

Message #

Certificate Services loaded a template.

%1 v%2 (Schema V%3)
%4
%5

Template Information:
	Template Content: %7
	Security Descriptor: %8

Additional Information:
	Domain Controller: %6

Fields #

NameDescription
TemplateInternalName UnicodeString
TemplateVersion UnicodeStringv
TemplateSchemaVersion UnicodeString(Schema V
TemplateOID UnicodeString
TemplateDSObjectFQDN UnicodeString
DCDNSName UnicodeString[Additional Information] Domain Controller
TemplateContent UnicodeString[Template Information] Template Content
SecurityDescriptor UnicodeString[Template Information] Security Descriptor
Domain_Controller
Template_Content
Security_Descriptor

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 4898,
    "version": 0,
    "level": 0,
    "task": 12805,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2026-03-13T23:08:24.061177+00:00",
    "event_record_id": 16623041,
    "correlation": {
      "ActivityID": "0D26E79C-B333-0001-07E8-260D33B3DC01"
    },
    "execution": {
      "process_id": 936,
      "thread_id": 10928
    },
    "channel": "Security",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "TemplateInternalName": "WebServer",
    "TemplateVersion": "4.1",
    "TemplateSchemaVersion": "1",
    "TemplateOID": " ",
    "TemplateDSObjectFQDN": "CN=WebServer,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ludus,DC=domain",
    "DCDNSName": "LAB-DC01.ludus.domain",
    "TemplateContent": "\nflags = 0x10241 (66113)\n  CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT -- 0x1\n  CT_FLAG_MACHINE_TYPE -- 0x40 (64)\n  CT_FLAG_ADD_TEMPLATE_NAME -- 0x200 (512)\n  CT_FLAG_IS_DEFAULT -- 0x10000 (65536)\n\nmsPKI-Private-Key-Flag = 0x0 (0)\n  CTPRIVATEKEY_FLAG_ATTEST_NONE -- 0x0\n  TEMPLATE_SERVER_VER_NONE<<CTPRIVATEKEY_FLAG_SERVERVERSION_SHIFT -- 0x0\n  TEMPLATE_CLIENT_VER_NONE<<CTPRIVATEKEY_FLAG_CLIENTVERSION_SHIFT -- 0x0\n\nmsPKI-Certificate-Name-Flag = 0x1 (1)\n  CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT -- 0x1\n\nmsPKI-Enrollment-Flag = 0x0 (0)\n\nmsPKI-Template-Schema-Version = 1\n\nrevision = 4\n\nmsPKI-Template-Minor-Revision = 1\n\npKIDefaultKeySpec = 1\n\npKIExpirationPeriod = 2 Years\n\npKIOverlapPeriod = 6 Weeks\n\ncn = WebServer\n\ndistinguishedName = WebServer\n\npKIKeyUsage = a0\n\ndisplayName = Web Server\n\ntemplateDescription = Computer\n\npKIExtendedKeyUsage =\n  1.3.6.1.5.5.7.3.1 Server Authentication\n\npKIDefaultCSPs =\n  Microsoft RSA SChannel Cryptographic Provider\n  Microsoft DH SChannel Cryptographic Provider\n\nmsPKI-Supersede-Templates =\n\nmsPKI-RA-Policies =\n\nmsPKI-RA-Application-Policies =\n\nmsPKI-Certificate-Policy =\n\nmsPKI-Certificate-Application-Policy =\n\npKICriticalExtensions =\n  2.5.29.15 Key Usage\n",
    "SecurityDescriptor": "O:S-1-5-21-1006758700-2167138679-1475694448-519G:S-1-5-21-1006758700-2167138679-1475694448-519D:PAI(OA;;RPWPCR;0e10c968-78fb-11d2-90d4-00c04f79dc55;;DA)(OA;;RPWPCR;0e10c968-78fb-11d2-90d4-00c04f79dc55;;S-1-5-21-1006758700-2167138679-1475694448-519)(A;;CCDCLCSWRPWPDTLOSDRCWDWO;;;DA)(A;;CCDCLCSWRPWPDTLOSDRCWDWO;;;S-1-5-21-1006758700-2167138679-1475694448-519)(A;;LCRPLORC;;;AU)\n\nAllow\tludus\\Domain Admins\n\tEnroll\nAllow\tludus\\Enterprise Admins\n\tEnroll\nAllow(0x000f00ff)\tludus\\Domain Admins\n\tFull Control\nAllow(0x000f00ff)\tludus\\Enterprise Admins\n\tFull Control\nAllow(0x00020094)\tNT AUTHORITY\\Authenticated Users\n\tRead\n"
  },
  "message": ""
}

Detection Rules #

View all rules referencing this event →

Sigma # view in reference

References #