Enrollment Attempt With Adcsesc1honeypot Template
Query
SecurityEvent
// Report all certificate request to the honeypot PKI
| where EventID == 4886
| parse EventData with * 'RequestClientInfo">' * 'User: ' RequestUser: string 'Machine:' RequestMachine: string 'Process:' RequestProcess: string "</" *
| parse EventData with * 'CertificateTemplate">' CertificateTemplate: string "</" *
// Check if the request was denied as planned
| lookup (SecurityEvent
| where EventID == 4888
| project DeniedTimeGenerated = TimeGenerated, RequestId, DeniedActivity = Activity)
on RequestId
| extend DeniedActivity = iff(isempty(DeniedActivity), "Request was NOT denied", "Request was denied")
| extend AlertSeverity = iff(DeniedActivity == "Request was NOT denied", "High", "Medium")
| extend Hostname = split(RequestMachine, '.')[0]
| extend HostDomainName = split(RequestMachine, '.')[1]
| extend RequestUserDomain = split(RequestUser, @'\')[0]
| extend RequestUserName = split(RequestUser, @'\')[1]
| project
TimeGenerated,
Computer,
Activity,
RequestUser,
RequestMachine,
RequestProcess,
CertificateTemplate,
Subject,
DeniedTimeGenerated,
DeniedActivity,
RequestId,
EventID,
EventData,
AlertSeverity,
Hostname,
HostDomainName,
RequestUserDomain,
RequestUserNameExplanation
This query is designed to detect suspicious activity related to Active Directory Certificate Services (AD CS) by monitoring for requests to a honeypot certificate template that is vulnerable to a specific attack (ESC1). Here's a simplified breakdown of what the query does:
-
Source of Data: It looks at security events, specifically those with an EventID of 4886, which indicates a certificate request.
-
Parsing Event Data: The query extracts details from the event data, such as the user who made the request, the machine and process used, and the certificate template requested.
-
Checking Request Status: It checks if the certificate request was denied by looking for a corresponding event with EventID 4888. If the request was not denied, it raises the alert severity to "High"; otherwise, it remains "Medium".
-
Extracting Additional Information: The query further breaks down the requestor's machine and user details into components like hostname, domain name, and user domain.
-
Projecting Relevant Information: It selects specific fields to include in the output, such as the time of the event, computer name, activity, and alert severity.
-
Alert Configuration: The query sets up alerts with custom details and maps entities like accounts and hosts for further analysis. It also configures incident creation and grouping based on account details.
-
Suppression and Incident Management: Suppression is disabled, meaning alerts will not be automatically suppressed, and incidents will be created and grouped based on specific criteria.
Overall, this query is used to identify potentially compromised user accounts and devices by detecting unauthorized certificate requests to a honeypot template, which could indicate malicious activity.
Details

Fabian Bader
Released: August 24, 2025
Tables
Keywords
Operators
Severity
MediumTactics
MITRE Techniques