CVE REFERENCE | CRITICAL VULNERABILITY
Active ThreatUpdated 11 min read

CVE-2021-42287 & CVE-2021-42278: noPac, Domain User to Domain Admin in Seconds

How chaining two Active Directory privilege escalation vulnerabilities allowed any authenticated domain user to impersonate a Domain Controller and obtain domain admin-equivalent Kerberos tickets in under a minute

8.8
CVSS Score (CVE-2021-42287)
~1 min
Time from domain user to Domain Admin
Domain Admin
Resulting privilege level
Nov 2021
Patch Tuesday fix

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

CVE-2021-42287 and CVE-2021-42278 are two Active Directory privilege escalation vulnerabilities patched by Microsoft in November 2021 that, when chained together in the 'noPac' exploit, allowed any authenticated domain user to impersonate a Domain Controller and receive Kerberos tickets with domain admin-equivalent privileges, a complete Active Directory takeover achievable in under a minute from a standard user account. Public exploit code was released within weeks of disclosure, with CISA confirming active exploitation in the following months.

The Two Vulnerabilities Explained

CVE-2021-42278, Machine Account Name Spoofing: Active Directory allows domain users to create machine accounts (computer objects) up to the MachineAccountQuota limit (default: 10 per user). Machine accounts are named with a trailing dollar sign by convention (e.g., WORKSTATION01$). CVE-2021-42278 is a missing validation check, Active Directory does not enforce that machine account names must end with a dollar sign, allowing an attacker to create a machine account named DC01 (without the $), which is indistinguishable from the real Domain Controller DC01$ in certain Kerberos processing contexts.

CVE-2021-42287, Kerberos PAC Confusion: When the Kerberos Key Distribution Center (KDC) processes a service ticket request (TGS-REQ), it looks up the requesting account to build the Privilege Attribute Certificate (PAC). CVE-2021-42287 is a logic flaw: if the KDC cannot find the originally requesting account (because the machine account was renamed or deleted after the TGT was issued), it falls back to searching for an account matching the name, and if that name matches a Domain Controller, it builds the PAC with the DC's privileges instead.

The noPac Exploit Chain

The two vulnerabilities chain into a complete privilege escalation in the following sequence:

1

Create a spoofed machine account

Using any domain user account and the default MachineAccountQuota, create a new machine account named `DC01` (matching the target Domain Controller's name without the trailing $).

2

Request a TGT for the spoofed account

Authenticate to the KDC as `DC01` (the spoofed machine account) and obtain a Ticket Granting Ticket. The KDC issues the TGT because `DC01` is a valid domain account.

3

Rename or delete the spoofed machine account

Rename the machine account to something else (or delete it), so the original `DC01` name no longer maps to the attacker's account in the directory.

4

Request a service ticket using the TGT

Submit the TGT to the KDC with a TGS-REQ for a service ticket to a Domain Controller service (e.g., cifs/DC01).

5

KDC falls back to DC01$, Domain Admin ticket issued

The KDC cannot find the original `DC01` account (renamed/deleted). It falls back to searching for `DC01` and finds the real Domain Controller `DC01$`. The PAC in the service ticket is built using the DC's privileges, effectively granting domain admin-equivalent access. The attacker now holds a valid Kerberos ticket with DC impersonation rights.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Why This Is Catastrophic

The noPac chain converts a minimal foothold, a single standard domain user account, into complete Active Directory compromise with no additional prerequisites beyond network access to the Domain Controller's Kerberos port (TCP/UDP 88).

With the resulting service ticket, an attacker can:

  • Perform a DCSync attack to dump all domain password hashes
  • Create new domain admin accounts
  • Access all domain-joined systems with DC-level permissions
  • Modify domain GPOs, trusts, and security policies
  • Establish persistence via Golden Ticket creation

Because only a standard domain login is required, any phished employee account, any credential exposed in a breach, or any default service account becomes a potential path to domain compromise.

Detection

Key indicators for noPac exploitation attempts:

Subscribe to unlock Indicators of Compromise

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Remediation

Steps in order of priority:

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

The bottom line

noPac is one of the most impactful Active Directory privilege escalation techniques ever published, converting any authenticated domain user into a de facto Domain Administrator in under a minute using only built-in Windows functionality. The November 2021 patch is essential, but reducing MachineAccountQuota to 0 is an equally important defense-in-depth measure that eliminates this and several other machine-account-based attack primitives. If your domain still has MachineAccountQuota > 0, review this as a priority configuration change regardless of patch status.

This analysis is generic — the platform version scores threats like this against your own stack.

Frequently asked questions

What is noPac (CVE-2021-42287 / CVE-2021-42278)?

noPac is an Active Directory privilege escalation exploit chain combining CVE-2021-42278 (machine account name spoofing) and CVE-2021-42287 (Kerberos PAC confusion). Any authenticated domain user can use noPac to obtain a Kerberos ticket granting domain admin-equivalent access to any domain resource, including Domain Controllers.

Does noPac require admin rights or special permissions?

No. noPac requires only a standard domain user account and the ability to create machine accounts (the default MachineAccountQuota in Active Directory allows any domain user to create up to 10 machine accounts). No elevated privileges, special group membership, or additional credentials are needed to start the attack.

How do I check if my domain is vulnerable to noPac?

Apply the November 2021 Patch Tuesday cumulative updates to all Domain Controllers. You can also reduce MachineAccountQuota to 0 (via Group Policy → Computer Configuration → Windows Settings → Security Settings → Account Policies) to remove the machine account creation prerequisite, though patching is the definitive fix.

What is MachineAccountQuota and why does it enable the noPac attack?

ms-DS-MachineAccountQuota is an Active Directory domain attribute that controls how many computer accounts a regular (non-admin) user can create in the domain. The default value is 10, meaning any standard domain user can create up to 10 machine accounts. noPac requires creating a machine account with a spoofed name matching a Domain Controller. Without MachineAccountQuota > 0, standard domain users cannot create machine accounts and the prerequisite for the attack is eliminated. Run `Get-ADDomain | Select-Object -Property DistinguishedName` to get the domain DN, then `Get-ADObject -Identity 'DC=corp,DC=example,DC=com' -Properties ms-DS-MachineAccountQuota` to check the current value. Set it to 0 as a defense-in-depth measure.

What is a DCSync attack, and how does noPac lead to one?

DCSync is an attack technique that uses Active Directory's domain replication protocol (DRSUAPI) to request password hash replication from a Domain Controller, as if the requester were another DC performing normal AD synchronization. Any account with DC impersonation rights (which the noPac TGT provides) can use DCSync to dump all password hashes in the domain, including the krbtgt account hash. With the krbtgt hash, an attacker can forge Golden Tickets, Kerberos TGTs valid for any user for up to 10 years, providing permanent domain admin access that persists even after the original vulnerability is patched, until the krbtgt account password is rotated twice.

Was noPac exploited in the wild after public disclosure?

Yes. CISA confirmed active exploitation of the noPac chain (CVE-2021-42278 and CVE-2021-42287) in the weeks following the release of public proof-of-concept exploit code in December 2021. The exploitation confirmed ransomware operators adopted the technique rapidly because it converts a single phished domain user account into full domain compromise with no additional access requirements. The November 2021 patch predated public PoC release, meaning organizations that applied November patches were protected before mass exploitation began, while those that delayed patching faced active attacks within weeks of PoC availability.

Sources & references

  1. Microsoft Security Advisory, CVE-2021-42287
  2. Microsoft Security Advisory, CVE-2021-42278
  3. SecureAuth noPac Analysis
  4. NVD, CVE-2021-42287

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.