Windows Event ID 4886 – Microsoft-Windows-Security-Auditing: Certificate Services Template Security Descriptor Modified

Start by examining the complete event details to understand what template permissions changed and who initiated the modification.

1. Open Event Viewer on your Certificate Authority server or domain controller
2. Navigate to Windows Logs → Security
3. Filter for Event ID 4886 using the filter option
4. Double-click the event to view detailed information including:
   • Subject account that made the change
   • Template name and distinguished name
   • Old and new security descriptor values
   • Process information and logon session details
5. Document the template name, user account, and timestamp for further investigation
6. Check if the change aligns with authorized PKI maintenance activities

Review the Old Security Descriptor and New Security Descriptor fields to identify exactly which permissions changed. Compare these values to determine if enrollment rights, read permissions, or administrative access was modified.

Use PowerShell to analyze multiple Event ID 4886 occurrences and identify patterns or suspicious activity across your PKI infrastructure.

1. Run this PowerShell command to retrieve recent template security modifications:

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4886} -MaxEvents 50 | Select-Object TimeCreated, @{Name='User';Expression={$_.Properties[1].Value}}, @{Name='Template';Expression={$_.Properties[4].Value}}, @{Name='ProcessName';Expression={$_.Properties[9].Value}} | Format-Table -AutoSize

2. For detailed analysis of specific template changes, use:

$Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4886} -MaxEvents 100
foreach ($Event in $Events) {
    $XML = [xml]$Event.ToXml()
    $Properties = $XML.Event.EventData.Data
    Write-Host "Time: $($Event.TimeCreated)"
    Write-Host "User: $($Properties[1].'#text')"
    Write-Host "Template: $($Properties[4].'#text')"
    Write-Host "Process: $($Properties[9].'#text')"
    Write-Host "---"
}

3. Export results to CSV for further analysis:

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4886} | Select-Object TimeCreated, Id, LevelDisplayName, @{Name='Message';Expression={$_.Message}} | Export-Csv -Path "C:\Temp\Event4886_Analysis.csv" -NoTypeInformation

Analyze the output for unusual patterns such as multiple template modifications by the same user, changes during off-hours, or modifications to high-privilege templates.

Validate the current state of certificate template permissions to ensure they align with security policies and identify any unauthorized changes.

1. Open the Certificate Templates MMC snap-in on your Certificate Authority server
2. Navigate to Start → Run → type certtmpl.msc
3. Locate the template mentioned in the Event ID 4886 log entry
4. Right-click the template and select Properties
5. Click the Security tab to review current permissions
6. Document the current security settings and compare with your organization's PKI security baseline
7. Use PowerShell to enumerate template permissions programmatically:

Import-Module ActiveDirectory
$TemplateName = "WebServer" # Replace with your template name
$TemplateDN = "CN=$TemplateName,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration," + (Get-ADDomain).DistinguishedName
$Template = Get-ADObject -Identity $TemplateDN -Properties nTSecurityDescriptor
$SD = $Template.nTSecurityDescriptor
$SD.Access | Select-Object IdentityReference, AccessControlType, ActiveDirectoryRights | Format-Table -AutoSize

8. Check for unexpected permissions such as:
   • Domain Users with Enroll rights
   • Unauthorized security groups with Full Control
   • Service accounts with excessive permissions
9. Remediate any unauthorized permissions immediately

Cross-reference Event ID 4886 with related Active Directory events to build a complete picture of the security modification and identify potential security incidents.

1. Query for related security events around the same timeframe:

$StartTime = (Get-Date).AddHours(-2)
$EndTime = Get-Date
$RelatedEvents = Get-WinEvent -FilterHashtable @{
    LogName='Security'
    Id=4624,4625,4648,4768,4769,4886
    StartTime=$StartTime
    EndTime=$EndTime
} | Sort-Object TimeCreated

2. Check for suspicious logon events (4624) or authentication failures (4625) from the same user account
3. Look for Kerberos ticket events (4768, 4769) that might indicate lateral movement
4. Review Directory Service Access events (5136, 5137, 5139) for related AD modifications:

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=5136,5137,5139} -MaxEvents 100 | Where-Object {$_.Message -like "*Certificate*" -or $_.Message -like "*Template*"} | Select-Object TimeCreated, Id, Message

4. Examine the user account that made the template modification:
   • Verify the account is authorized for PKI administration
   • Check recent password changes or account modifications
   • Review group membership and privilege assignments
5. Use this PowerShell script to analyze user activity patterns:

$UserAccount = "DOMAIN\username" # Replace with actual account from event
$UserEvents = Get-WinEvent -FilterHashtable @{
    LogName='Security'
    StartTime=(Get-Date).AddDays(-7)
} | Where-Object {$_.Message -like "*$UserAccount*"}
$UserEvents | Group-Object Id | Select-Object Name, Count | Sort-Object Count -Descending

6. Document findings and escalate if unauthorized activity is detected

Establish proactive monitoring for Event ID 4886 to detect future unauthorized certificate template modifications in real-time.

1. Create a custom Windows Event Forwarding (WEF) subscription to centralize Event ID 4886 collection:

<Subscription xmlns="http://schemas.microsoft.com/2006/03/windows/events/subscription">
    <SubscriptionId>PKI-Template-Security-Changes</SubscriptionId>
    <SubscriptionType>SourceInitiated</SubscriptionType>
    <Description>Certificate Template Security Modifications</Description>
    <Enabled>true</Enabled>
    <Uri>http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog</Uri>
    <ConfigurationMode>Custom</ConfigurationMode>
    <Query>
        <![CDATA[
        <QueryList>
            <Query Id="0">
                <Select Path="Security">*[System[EventID=4886]]</Select>
            </Query>
        </QueryList>
        ]]>
    </Query>
</Subscription>

2. Set up a PowerShell scheduled task for automated alerting:

$Action = New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-File C:\Scripts\Monitor-Event4886.ps1"
$Trigger = New-ScheduledTaskTrigger -Once -At (Get-Date) -RepetitionInterval (New-TimeSpan -Minutes 15) -RepetitionDuration (New-TimeSpan -Days 365)
$Settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -StartWhenAvailable
Register-ScheduledTask -TaskName "PKI-Template-Monitor" -Action $Action -Trigger $Trigger -Settings $Settings -User "SYSTEM"

3. Create the monitoring script C:\Scripts\Monitor-Event4886.ps1:

# Monitor-Event4886.ps1
$LastCheck = (Get-Date).AddMinutes(-15)
$NewEvents = Get-WinEvent -FilterHashtable @{
    LogName='Security'
    Id=4886
    StartTime=$LastCheck
} -ErrorAction SilentlyContinue

if ($NewEvents) {
    foreach ($Event in $NewEvents) {
        $XML = [xml]$Event.ToXml()
        $User = $XML.Event.EventData.Data[1].'#text'
        $Template = $XML.Event.EventData.Data[4].'#text'
        
        # Send alert email or SIEM notification
        $Subject = "ALERT: Certificate Template Security Modified"
        $Body = "Template: $Template`nUser: $User`nTime: $($Event.TimeCreated)"
        # Add your notification logic here
    }
}

4. Configure Windows Event Log size and retention for the Security log:

wevtutil sl Security /ms:1073741824  # Set to 1GB
wevtutil sl Security /rt:false       # Disable log overwrite

5. Implement baseline monitoring by documenting authorized template modifications and creating exception lists for legitimate administrative accounts