PRACTITIONER GUIDE | IDENTITY SECURITY
Practitioner GuideUpdated 9 min read

NoPac / CVE-2021-42278 and 42287: How the sAMAccountName Spoofing Attack Works and How to Mitigate It

Nov 2021
Patch release date -- both CVEs patched in KB5008380 and related updates
10 seconds
Time to escalate from standard user to Domain Admin using NoPac on an unpatched domain
MachineAccountQuota
Defense-in-depth: set to 0 to eliminate the machine account creation step

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

NoPac is one of the most significant Active Directory vulnerabilities in recent years because it requires only a standard domain user account and working network connectivity to a DC -- no special permissions, no existing privileged access. The attack is fully automated by public tools (NoPac.py from the Impacket collection). The November 2021 patch is the primary fix. Organizations that have delayed patching or have DCs that missed the update remain vulnerable. This guide explains the attack chain, how to verify patch status, and what additional controls reduce risk.

The Attack Chain in Detail

Step 1 (CVE-2021-42278 -- sAMAccountName manipulation): by default, any domain user can create up to 10 machine accounts in the domain (controlled by the ms-DS-MachineAccountQuota attribute). The attacker creates a machine account with a standard name (e.g., EVILPC$). Then renames the machine account's sAMAccountName to match a DC name without the trailing dollar sign (e.g., renames EVILPC$ to DC01, matching the DC's sAMAccountName of DC01$). The DC's sAMAccountName check was supposed to prevent non-admin accounts from using DC-matching names, but CVE-2021-42278 was a bypass for this check. Step 2 (Obtaining a TGT for the renamed account): the attacker requests a TGT for the renamed machine account (now named DC01) using the machine account's password they know. Step 3 (CVE-2021-42287 -- PAC verification bypass): the attacker requests a service ticket using the TGT. When the KDC processes the request and cannot find an account named DC01 (because the attacker has renamed the machine account back to its original name), it appends $ and searches again -- finding DC01$ (the real domain controller). The KDC then issues a service ticket with the DC's privileges embedded in the PAC. The attacker has a service ticket representing a domain controller, enabling DCSync and full domain compromise.

Verify Your Domain Controllers Are Patched

The fix for CVE-2021-42278 and CVE-2021-42287 is in the November 9, 2021 Patch Tuesday updates (and subsequent cumulative updates). Verify the patch is installed on all DCs: Get-HotFix -ComputerName (Get-ADDomainController -Filter * | Select-Object -ExpandProperty Name) | Where-Object { $_.HotFixID -in ('KB5008380','KB5007206','KB5008212','KB5008218','KB5008282') } | Select-Object PSComputerName, HotFixID, InstalledOn. Any DC not in the results is potentially missing the patch. However, the specific KB varies by OS version -- the more reliable check is to verify the cumulative update version. On Windows Server 2019 DCs: the November 2021 CU is build 17763.2300 or later (winver on the DC). On 2016: build 14393.4770 or later. Test exploitability directly (from a safe test account): download and run the public NoPac.py from a controlled endpoint -- if it succeeds in obtaining elevated access, the domain is vulnerable. Run this only in a pre-approved penetration testing context.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Reduce MachineAccountQuota to 0 as Defense-in-Depth

Even with the patches installed, reducing MachineAccountQuota to 0 eliminates the machine account creation step that NoPac requires. More broadly, this prevents any domain user from creating machine accounts without admin delegation, which also prevents ASREPRoasting precomputation attacks and RBCD attacks that require attacker-controlled machine accounts. Set MachineAccountQuota via PowerShell on the domain object: Set-ADDomain -Identity domain.com -Replace @{'ms-DS-MachineAccountQuota'='0'}. After setting to 0, machine account creation requires explicit delegation of the 'Add workstations to domain' right on specific OUs or the default 'Create Computer objects' right in the Computers container (which should only be granted to IT admin accounts). Verify the change: Get-ADDomain | Select-Object -ExpandProperty 'ms-DS-MachineAccountQuota'. Test that workstation domain join still works via the approved IT join process -- if IT uses an admin account to join machines, it should work fine. If an automated provisioning system uses a non-admin service account to join machines, that service account will need the 'Add workstations to domain' permission explicitly delegated on the OU where machines are created.

Detect NoPac Exploitation Attempts

Event ID 4741 (computer account created) with the creating account being a standard user account (not a member of Domain Admins) is a prerequisite for NoPac. Alert when non-admin users create computer accounts. Event ID 4742 (computer account changed) immediately after 4741 from the same account, modifying the sAMAccountName, is the key indicator for CVE-2021-42278. KQL: SecurityEvent | where EventID == 4742 | where TargetUserName has_cs '$' == false and TargetSamAccountName has_cs '$' == false | project TimeGenerated, SubjectUserName, TargetSamAccountName, Computer. Any computer account sAMAccountName change that removes the trailing $ is highly suspicious. Microsoft Defender for Identity has a built-in detection for NoPac that alerts on the sAMAccountName spoofing pattern. If you have MDI, verify this alert is enabled and validate it fires with a test. Also monitor Event ID 4769 (Kerberos service ticket requested) from accounts not recognized as DCs -- the NoPac service ticket requests have characteristic anomalies that MDI's behavioral engine detects.

Additional Hardening Beyond the Patch

Restrict who can rename computer accounts: by default, the user who created a computer account or a Domain Admin can rename it. After setting MachineAccountQuota to 0 and requiring admin-created computer accounts, the renaming risk is limited to admins. However, verify there are no legacy computer accounts in the domain that are owned by standard user accounts (Get-ADComputer -Filter * -Properties ManagedBy | Where-Object { $_.ManagedBy -ne $null } -- review any non-admin ManagedBy entries). Enable Protected Users group for all Tier 0 accounts: Protected Users members cannot have their TGT used in delegation scenarios that are critical to the CVE-2021-42287 exploitation chain. Monitor for DC impersonation: Event ID 4768 (TGT request) with a client address that is not a known DC IP but with a pre-authentication username matching a DC name is anomalous. MDI detects this pattern; a raw SIEM query is more complex but possible with a DC IP watchlist.

The bottom line

NoPac is a critical patch -- verify every DC in your domain has the November 2021 or later cumulative update. Set MachineAccountQuota to 0 as defense-in-depth. Alert on Event ID 4742 showing sAMAccountName changes on computer accounts. If you have MDI, the NoPac detection is built in -- confirm it is enabled. Post-patch, the attack is no longer exploitable, but the MachineAccountQuota=0 hardening remains valuable as it also blocks RBCD and related machine-account-dependent attacks.

Frequently asked questions

Does setting MachineAccountQuota to 0 break anything?

It breaks the ability for standard domain users to join computers to the domain themselves (using Windows 'Join a domain' from the system properties). This is usually the intended behavior -- machine joins should go through an IT process with a designated admin account. However, if any automated provisioning systems (MDT, SCCM, Intune Autopilot hybrid join) use a non-admin service account to create computer objects, those will break. Audit your machine provisioning process before setting MachineAccountQuota to 0 and ensure the provisioning service account has explicit permission on the target OU.

Are there other attacks that require machine account creation like NoPac?

Yes. Resource-Based Constrained Delegation (RBCD) attacks require an attacker-controlled machine account. Without MachineAccountQuota > 0, an attacker must find an existing compromised machine account or use a service account to perform RBCD. Reducing MachineAccountQuota to 0 also prevents the RBCD attack path that relies on creating a new machine account. It does not prevent RBCD attacks using already-compromised existing accounts.

Is NoPac still relevant in 2026?

For patched environments, NoPac is no longer directly exploitable. However, it remains relevant for: penetration testers assessing environments that may have missed the November 2021 patch (some environments with long patch cycles, offline DCs, or specific hardening exceptions), forensic investigators determining whether historical compromises used this technique, and as a case study for why MachineAccountQuota should be 0 and sAMAccountName changes should be monitored. Organizations acquired through M&A who inherit unpatched AD environments are a common scenario where NoPac may still be exploitable.

How do I check if NoPac has already been used in my environment?

Search historical Security event logs for Event ID 4742 with a computer account sAMAccountName that was changed to match a DC name (without trailing $). Also search Event ID 4769 for Kerberos TGS requests from unusual source IPs that used DC-named accounts as the service. If you have MDI, check for 'Suspected Kerberos SPN manipulation' and 'Account Enumeration Reconnaissance' alerts around the suspected compromise timeframe. The November 2021 or later cumulative update also patches the DCSync path that NoPac enabled, so a DCSync from a non-DC account (Event ID 4662 with replication rights) is the downstream indicator of successful exploitation.

What other CVEs from the same era as NoPac affected Active Directory Kerberos?

Several critical AD vulnerabilities emerged in 2021 and 2022: CVE-2020-1472 (Zerologon, August 2020, Netlogon privilege escalation to domain compromise in seconds), CVE-2021-42287 (the PAC confusion component paired with CVE-2021-42278 for NoPac), CVE-2022-26923 (Certifried, certificate-based privilege escalation via AD CS), and the PrintNightmare family (CVE-2021-1675, CVE-2021-34527) targeting the Print Spooler service on DCs. All of these require KB verification similar to NoPac. Run a comprehensive patch audit against your DCs for all critical and important Windows Server Security updates from 2020 through present.

What makes NoPac particularly dangerous compared to other Active Directory privilege escalation vulnerabilities?

NoPac (combining CVE-2021-42278 and CVE-2021-42287) stands out for three reasons. First, it is weaponizable by any standard domain user with no special privileges -- no writable AD objects, no pre-positioned access, and no additional service accounts needed. Any account that can create computer objects (the default allows up to 10 per user, controlled by ms-DS-MachineAccountQuota) is sufficient. Second, it chains two separate bugs into a complete privilege escalation from standard user to Domain Admin in a single exploit chain, making partial patching ineffective -- both CVEs must be patched. Third, exploitation leaves relatively few forensic artifacts compared to other attacks: the sAMAccountName manipulation happens in LDAP writes that are logged but not in obvious alert categories unless MDI is deployed. Organizations without Microsoft Defender for Identity rely on detecting the downstream Kerberos ticket abuse rather than the initial LDAP manipulation, which gives attackers more time post-exploitation.

Sources & references

  1. Microsoft: KB5008380 NoPac Patch Advisory
  2. MSRC: CVE-2021-42278

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.