CVE-2021-42287

What is Active Directory Kerberos PAC?

The Kerberos Privilege Attribute Certificate (PAC) is a Microsoft extension to the Kerberos authentication protocol used in Active Directory. When a user (or machine account) authenticates to a Domain Controller and receives a Kerberos Ticket Granting Ticket (TGT), the TGT contains a PAC that lists the account's group memberships and privileges. When the account later requests a Service Ticket to access a specific resource, the Key Distribution Center (KDC) running on the Domain Controller creates the Service Ticket — and must look up the requesting account's identity and privileges to include in the new PAC. This lookup is a critical security step: if the KDC cannot find the exact account that requested the TGT, it must correctly identify what account the TGT actually belongs to.

Overview

CVE-2021-42287 is the second stage of the NoPac attack chain (combined with CVE-2021-42278). After CVE-2021-42278 is used to spoof a machine account's name to match a Domain Controller, CVE-2021-42287 exploits a missing validation in how the Kerberos KDC handles service ticket requests when the TGT requester's account cannot be found. When the KDC looks up the account that requested a TGT and cannot find it (because the attacker's machine account was renamed back after the TGT was obtained), the KDC incorrectly falls back to searching for the name with a $ suffix appended — inadvertently finding the real Domain Controller account instead, and issuing a Service Ticket with Domain Controller (SYSTEM) privileges.

The combination of CVE-2021-42278 + CVE-2021-42287 allows a standard domain user with a machine account to obtain a Service Ticket with Domain Admin privileges — a complete domain compromise. Microsoft patched both in November 2021 Patch Tuesday.

Affected Versions

Technical Details

CVE-2021-42287 enables the second and decisive stage of the NoPac chain:

• Root cause: The Kerberos KDC does not properly validate the requesting account's identity when issuing service tickets. When the original requesting account cannot be found during service ticket issuance, the KDC adds a $ suffix to the name and searches again — a fallback that should not exist
• The NoPac chain in full:
  1. (CVE-2021-42278) Attacker creates machine account EVIL$ and renames its sAMAccountName to DC01 (matching a Domain Controller's name without $)
  2. Attacker requests a TGT for DC01 — the KDC issues a TGT believing this is a machine account named DC01
  3. Attacker renames the machine account back to EVIL$ — now the name DC01 in the domain only refers to the real DC again
  4. (CVE-2021-42287) Attacker uses the TGT for DC01 to request a Service Ticket (e.g., for LDAP/cifs on the DC). The KDC cannot find an account named DC01, falls back to searching for DC01$, and finds the real Domain Controller account — issuing a Service Ticket with DC (SYSTEM/Domain Admin) privileges
  5. Attacker uses the Service Ticket with DC privileges to perform a DCSync, dump all domain credentials, and achieve full domain compromise
• Attack Complexity: High: The chain requires specific sequenced steps and timing, but nopac.py automates the entire chain in a single command
• No patch bypass: Both CVE-2021-42278 and CVE-2021-42287 must both be patched — patching only one breaks the chain

Discovery

The NoPac chain was analyzed and publicly disclosed by security researchers following the November 2021 Patch Tuesday release. The nopac.py exploit tool was published on December 11, 2021, automating the full domain compromise chain and making it accessible to any attacker with a low-privileged domain account and network access to a Domain Controller.

Exploitation Context

The NoPac chain is considered one of the most impactful Active Directory privilege escalation techniques discovered in 2021 — rivaling previous DC escalation techniques like PrintNightmare and Zerologon in impact. After the public tool release in December 2021, ransomware operators incorporated it into post-compromise workflows: after gaining initial domain access (via phishing, web shell, or other means), NoPac provides a reliable path from any domain user account to full domain compromise. CISA added both CVEs to KEV in April 2022, confirming active exploitation in ransomware attacks. Organizations running unpatched Server 2019 or earlier Domain Controllers with default machine account quota settings remain fully vulnerable.

Remediation

1. Apply November 2021 cumulative update to all Domain Controllers (KB5008102 for Server 2019 or equivalent)
2. Both CVE-2021-42278 and CVE-2021-42287 must be patched to break the NoPac chain — patching only one is insufficient
3. Set ms-DS-MachineAccountQuota to 0 as defense-in-depth to prevent unauthorized machine account creation: Set-ADDomain -Identity domain.local -Replace @{"ms-DS-MachineAccountQuota"="0"}
4. Monitor for suspicious Kerberos TGT requests and service ticket requests using machine account names that match DC names
5. Deploy Microsoft Defender for Identity with "Suspected identity theft (pass-the-ticket)" and "Suspected Kerberos SPN exposure" alerts
6. Run Microsoft's Get-ADComputer -Filter * to audit all machine accounts and identify any that don't follow the $-suffix naming convention