Tag
This analytic detects suspicious certificate issuance with a Subject Alternative Name (SAN) via Active Directory Certificate Services (AD CS) followed by immediate authentication, using Windows Security Event Logs (EventCode 4887 and 4768), which, if successful, can lead to privilege escalation and environment compromise.