CVE-2021-42278

What is Active Directory Domain Services?

Active Directory Domain Services (AD DS) is Microsoft's directory service that provides authentication and authorization for Windows networks. Every corporate Windows environment relies on AD DS: it manages user accounts, computer accounts, group memberships, and Kerberos/NTLM authentication. The Domain Controller (DC) is the server running AD DS and is the crown jewel of a Windows network — whoever controls the DC controls every machine, account, and resource in the domain. Machine accounts (computer accounts) are objects in AD representing domain-joined computers; they follow a naming convention where the account name ends with a dollar sign (e.g., WORKSTATION1$) and unlike user accounts, low-privileged domain users can create machine accounts by default (up to the ms-DS-MachineAccountQuota limit, defaulting to 10).

Overview

CVE-2021-42278 is a privilege escalation vulnerability in Active Directory Domain Services. It is the first stage of the NoPac attack chain (combined with CVE-2021-42287), which allows a standard domain user account to escalate to Domain Administrator — the highest privilege in a Windows domain. The vulnerability stems from a missing security check in Active Directory: the sAMAccountName attribute of a machine account (computer account) can be set to a value that matches a Domain Controller's account name, without the trailing $ dollar sign. Active Directory does not enforce that machine account names must differ from DC names. This sAMAccountName spoofing enables a domain user to create a machine account, rename it to impersonate a DC, and then use that impersonation in Kerberos authentication requests in combination with CVE-2021-42287.

Microsoft patched this in November 2021 Patch Tuesday. CISA added it to KEV in April 2022 after confirmed exploitation in ransomware campaigns.

Affected Versions

Technical Details

CVE-2021-42278 enables the first stage of the NoPac domain escalation chain:

• Root cause: Active Directory does not validate that a machine account's sAMAccountName attribute is distinct from a Domain Controller's sAMAccountName — a domain user can rename a machine account they control to match a DC's account name (e.g., rename ATTACKER$ to DC1, matching the domain controller's account DC1$ without the dollar sign)
• Machine account creation: By default, any authenticated domain user can create up to 10 machine accounts (ms-DS-MachineAccountQuota). This requires only PR:L (low-privileged domain account)
• sAMAccountName spoofing: The attacker creates a machine account, then uses the LDAP API to rename the account's sAMAccountName to match the DC name without the $ suffix (e.g., change EVILPC$ to DC01). Active Directory allows this change without restriction
• Attack Complexity: High: The chain requires specific timing and steps — creating a machine account, renaming it, requesting a TGT, then renaming it back and using CVE-2021-42287 — but automated tooling (nopac.py) made this trivial
• Chain dependency: CVE-2021-42278 alone provides impersonation; the full domain privilege escalation requires chaining with CVE-2021-42287 (Kerberos PAC escalation)

Discovery

The NoPac attack chain was researched and disclosed by security researchers in December 2021, shortly after the November patches. Andrew Bartlett and others in the open-source Samba/AD community contributed to the analysis. The full NoPac exploit chain was published as open-source tooling on December 11, 2021, making the attack accessible to any attacker with a low-privileged domain account.

Exploitation Context

The NoPac chain (CVE-2021-42278 + CVE-2021-42287) is particularly dangerous because it enables domain user to Domain Admin in a single attack chain — one of the most severe possible privilege escalation outcomes in a Windows environment. After the public nopac.py tool release in December 2021, this became a standard tool in ransomware operators' post-compromise playbooks. CISA added both CVEs to KEV in April 2022, confirming active use in ransomware intrusions. Unpatched domain controllers in environments with default ms-DS-MachineAccountQuota settings (which allow machine account creation) remain vulnerable.

Remediation

1. Apply November 2021 cumulative update to all Domain Controllers via Windows Update (KB5008102 for Server 2019 or equivalent)
2. Both CVE-2021-42278 and CVE-2021-42287 must be patched to fully break the NoPac attack chain
3. As a defense-in-depth measure, set ms-DS-MachineAccountQuota to 0 in Active Directory to prevent regular users from creating machine accounts (requires administrative process for computer account joins): Set-ADDomain -Identity domain.local -Replace @{"ms-DS-MachineAccountQuota"="0"}
4. Monitor Active Directory for machine account renames — especially changes to sAMAccountName attributes that remove the $ suffix
5. Deploy Microsoft Defender for Identity (formerly Azure ATP) with alerts enabled for suspicious Kerberos activity
6. Review machine account creation logs: Event ID 4741 (computer account created) and 4742 (computer account changed)