Consider the following information regarding ADCS Attacks: https://community.sophos.com/b/security-blog/posts/petitpotam-attack
We can quickly identify this by searching for the event logs with the following:
SELECT datetime(time, 'unixepoch', 'localtime') AS EventTimeStamp, source,
provider_name, eventid, task_message, data
IN '4768' AND data LIKE 'Cert'
If you see that "A Kerberos authentication ticket (TGT) was requested" then you may have suffered an attack. It is important to note it is not 100% indicative of such and should be reviewed further.
NOTE: if you are not auditing these events via a Logging Policy on your servers, they will not appear by default.