ADCS ESC12: owning the CA host means re-keying, not reimaging
Shell access on the certificate authority host gives an attacker the signing-key context to forge certificates for anyone. Reimaging is not enough. You re-key and distrust the old key.
ESC12 is not a template flaw. It is an attacker who got local administrator and an interactive shell on the certificate authority host itself, which is full PKI compromise because the host controls the signing-key context.
How the attack works
An interactive administrator logon lands on the CA host with local administrator rights. The attacker reaches the certificate authority private-key store and gains the ability to sign in the CA’s name. With that, they drive the CA to issue a certificate asserting a Domain Administrator identity, with an operator-driven subject alternative name the requester would never legitimately enroll for. The certificate is then used to authenticate to a domain controller and obtain a Kerberos ticket as the privileged identity. In ATT&CK terms this is T1649, Steal or Forge Authentication Certificates, with T1078, valid accounts. The detection tell is an interactive logon to the CA host reaching the key context, not the volume of issuance.
Why it works
The certificate authority signing key is the trust anchor for certificate-based authentication. Whether the key lives in an HSM token or the machine store, control of the host means control of the key context, so the attacker can mint a certificate for any identity.
How to fix it
The hard truth is that you cannot clean the box and move on. Isolate the CA host, stop the service, and treat the signing key as compromised. The non-obvious move is to re-key and rotate the CA and distrust the old key, because reimaging the host and bringing the same key back online restores the exact capability the attacker abused. Rebuild on a clean hardened Tier-0 host, place the new key in a non-exportable HSM, and restrict CA-host logon to a tiny set of privileged-access-workstation admins. Scope minted certificates from the issuance log.
Practice it
We built this as a GraphLattice Range scenario so responders can rehearse the CA-host detection and the re-key containment that reimaging cannot replace.