CVE-2021-42287 & CVE-2021-42278: noPac — Domain User to Domain Admin in Seconds
How chaining two Active Directory privilege escalation vulnerabilities allowed any authenticated domain user to impersonate a Domain Controller and obtain domain admin-equivalent Kerberos tickets in under a minute
CVE-2021-42287 and CVE-2021-42278 are two Active Directory privilege escalation vulnerabilities patched by Microsoft in November 2021 that, when chained together in the 'noPac' exploit, allowed any authenticated domain user to impersonate a Domain Controller and receive Kerberos tickets with domain admin-equivalent privileges — a complete Active Directory takeover achievable in under a minute from a standard user account. Public exploit code was released within weeks of disclosure, with CISA confirming active exploitation in the following months.
The Two Vulnerabilities Explained
**CVE-2021-42278 — Machine Account Name Spoofing**: Active Directory allows domain users to create machine accounts (computer objects) up to the MachineAccountQuota limit (default: 10 per user). Machine accounts are named with a trailing dollar sign by convention (e.g., WORKSTATION01$). CVE-2021-42278 is a missing validation check — Active Directory does not enforce that machine account names must end with a dollar sign, allowing an attacker to create a machine account named `DC01` (without the $), which is indistinguishable from the real Domain Controller `DC01$` in certain Kerberos processing contexts.
**CVE-2021-42287 — Kerberos PAC Confusion**: When the Kerberos Key Distribution Center (KDC) processes a service ticket request (TGS-REQ), it looks up the requesting account to build the Privilege Attribute Certificate (PAC). CVE-2021-42287 is a logic flaw: if the KDC cannot find the originally requesting account (because the machine account was renamed or deleted after the TGT was issued), it falls back to searching for an account matching the name — and if that name matches a Domain Controller, it builds the PAC with the DC's privileges instead.
The noPac Exploit Chain
The two vulnerabilities chain into a complete privilege escalation in the following sequence:
Create a spoofed machine account
Using any domain user account and the default MachineAccountQuota, create a new machine account named `DC01` (matching the target Domain Controller's name without the trailing $).
Request a TGT for the spoofed account
Authenticate to the KDC as `DC01` (the spoofed machine account) and obtain a Ticket Granting Ticket. The KDC issues the TGT because `DC01` is a valid domain account.
Rename or delete the spoofed machine account
Rename the machine account to something else (or delete it), so the original `DC01` name no longer maps to the attacker's account in the directory.
Request a service ticket using the TGT
Submit the TGT to the KDC with a TGS-REQ for a service ticket to a Domain Controller service (e.g., cifs/DC01).
KDC falls back to DC01$ — Domain Admin ticket issued
The KDC cannot find the original `DC01` account (renamed/deleted). It falls back to searching for `DC01` and finds the real Domain Controller `DC01$`. The PAC in the service ticket is built using the DC's privileges — effectively granting domain admin-equivalent access. The attacker now holds a valid Kerberos ticket with DC impersonation rights.
Why This Is Catastrophic
The noPac chain converts a minimal foothold — a single standard domain user account — into complete Active Directory compromise with no additional prerequisites beyond network access to the Domain Controller's Kerberos port (TCP/UDP 88).
With the resulting service ticket, an attacker can: - Perform a DCSync attack to dump all domain password hashes - Create new domain admin accounts - Access all domain-joined systems with DC-level permissions - Modify domain GPOs, trusts, and security policies - Establish persistence via Golden Ticket creation
Because only a standard domain login is required, any phished employee account, any credential exposed in a breach, or any default service account becomes a potential path to domain compromise.
Detection
Key indicators for noPac exploitation attempts:
| Artifact | Type | SHA-256 (Truncated) |
|---|---|---|
| Machine account creation events where the sAMAccountName does not end with $ (Windows Event ID 4741) | Windows Security Event Log — Domain Controller | Alert on Computer Account Created events where the new account name lacks the conventional trailing $ — this is the CVE-2021-42278 setup step |
| Machine account rename events immediately followed by Kerberos TGS requests (Event ID 4742 followed by 4769) | Windows Security Event Log — Domain Controller | The rename-then-TGS-request sequence within a short time window is the core noPac exploitation pattern |
| S4U2Self requests for Domain Controller SPNs from non-DC machine accounts | Kerberos telemetry — Windows Event ID 4769 | A machine account (non-DC) requesting service tickets to DC services is anomalous; correlate Account Name with known DC list |
| Microsoft's noPac detection script output indicating vulnerable MachineAccountQuota | Active Directory attribute | ms-DS-MachineAccountQuota value > 0 at domain root is a prerequisite indicator; run Get-ADDomain | Select-Object -ExpandProperty DistinguishedName then query ms-DS-MachineAccountQuota |
Any instance of msimg32.dll found outside C:\Windows\System32 is an active IOC. Isolate the host immediately. Full hashes and IOC lists are available via the Cisco Talos GitHub repository.
Remediation
Steps in order of priority:
Patch all Domain Controllers with November 2021 updates
The November 9, 2021 Patch Tuesday cumulative updates contain fixes for both CVE-2021-42287 and CVE-2021-42278. Patch all Domain Controllers — the vulnerability is in the KDC service running on DCs, so workstation patching alone does not protect against this exploit chain.
Set MachineAccountQuota to 0
Reducing ms-DS-MachineAccountQuota to 0 removes the ability for standard domain users to create machine accounts, eliminating the prerequisite for this attack. Apply via Group Policy: Computer Configuration → Preferences → Windows Settings → Registry, or directly via PowerShell: Set-ADDomain -Identity yourdomain.com -Replace @{ms-DS-MachineAccountQuota=0}. Note: IT operations that require machine account creation will need to be performed by privileged accounts going forward.
Audit existing machine accounts for non-standard naming
Search Active Directory for computer objects whose sAMAccountName does not end with $ — these are anomalous and may indicate exploitation or preparation: Get-ADComputer -Filter * | Where-Object {$_.SamAccountName -notmatch '\$$'}
Enable Kerberos audit logging on Domain Controllers
Ensure Windows Event IDs 4741 (computer account created), 4742 (computer account changed), and 4769 (Kerberos service ticket requested) are being collected and forwarded to your SIEM. Configure alerting on the noPac-specific event sequence described in the detection section.
The bottom line
noPac is one of the most impactful Active Directory privilege escalation techniques ever published — converting any authenticated domain user into a de facto Domain Administrator in under a minute using only built-in Windows functionality. The November 2021 patch is essential, but reducing MachineAccountQuota to 0 is an equally important defense-in-depth measure that eliminates this and several other machine-account-based attack primitives. If your domain still has MachineAccountQuota > 0, review this as a priority configuration change regardless of patch status.
Frequently asked questions
What is noPac (CVE-2021-42287 / CVE-2021-42278)?
noPac is an Active Directory privilege escalation exploit chain combining CVE-2021-42278 (machine account name spoofing) and CVE-2021-42287 (Kerberos PAC confusion). Any authenticated domain user can use noPac to obtain a Kerberos ticket granting domain admin-equivalent access to any domain resource, including Domain Controllers.
Does noPac require admin rights or special permissions?
No. noPac requires only a standard domain user account and the ability to create machine accounts (the default MachineAccountQuota in Active Directory allows any domain user to create up to 10 machine accounts). No elevated privileges, special group membership, or additional credentials are needed to start the attack.
How do I check if my domain is vulnerable to noPac?
Apply the November 2021 Patch Tuesday cumulative updates to all Domain Controllers. You can also reduce MachineAccountQuota to 0 (via Group Policy → Computer Configuration → Windows Settings → Security Settings → Account Policies) to remove the machine account creation prerequisite, though patching is the definitive fix.
Sources & references
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, weekly, no spam.
Unsubscribe anytime. We never sell your data.
Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals weekly.