This analytic detects suspicious certificate requests or issuances in Active Directory Certificate Services (AD CS) that involve the use of Subject Alternative Names (SAN). By monitoring Windows Security Event Codes 4886 (certificate requested) and 4887 (certificate issued), the detection identifies potentially malicious activities that could indicate an attacker is exploiting improperly configured certificate templates for privilege escalation. If an attacker can initiate certificate requests or receive certificates improperly, they may gain elevated privileges, allowing unauthorized access to sensitive resources and persistence within the environment. The rule processes the relevant event attributes, extracting key pieces of information such as RequestId and user identity, to highlight suspicious activities associated with certificate management in Windows environments.