CVE-2021-42278: Windows Server Privilege Escalation Flaw

CVE-2021-42278 Overview

CVE-2021-42278 is an Active Directory Domain Services (AD DS) Elevation of Privilege vulnerability that affects Microsoft Windows Server deployments. This vulnerability allows an authenticated attacker with low privileges to impersonate a domain controller by exploiting weaknesses in how AD DS handles the Security Account Manager (SAM) account name validation. When combined with CVE-2021-42287 (commonly referred to as "sAMAccountName Spoofing" or "noPac"), this vulnerability can enable complete domain takeover.

Critical Impact
This vulnerability is actively exploited in the wild and is listed in CISA's Known Exploited Vulnerabilities catalog. Successful exploitation allows authenticated attackers to escalate privileges to Domain Admin, potentially compromising the entire Active Directory environment.

Affected Products

Microsoft Windows Server 2004
Microsoft Windows Server 2008 (SP2 and R2 SP1)
Microsoft Windows Server 2012 (and R2)
Microsoft Windows Server 2016
Microsoft Windows Server 2019
Microsoft Windows Server 2022
Microsoft Windows Server 20H2

Discovery Timeline

2021-11-10 - CVE-2021-42278 published to NVD
2025-10-30 - Last updated in NVD database

Technical Details for CVE-2021-42278

Vulnerability Analysis

This vulnerability exists in how Active Directory Domain Services validates the sAMAccountName attribute during certain authentication operations. By default, Active Directory allows domain users to create machine accounts (up to 10 by default, controlled by the ms-DS-MachineAccountQuota attribute). When creating or modifying these machine accounts, AD DS fails to properly enforce that computer account names must end with a $ character.

An attacker can create a machine account and modify its sAMAccountName to match that of a Domain Controller (without the trailing $). This naming confusion can then be leveraged in conjunction with CVE-2021-42287 to obtain a Kerberos ticket for the actual Domain Controller account, effectively impersonating it and gaining Domain Admin privileges.

Root Cause

The root cause lies in insufficient validation of the sAMAccountName attribute within Active Directory Domain Services. The SAM-Account-Name attribute is supposed to be unique within a domain and follow specific naming conventions (computer accounts should end with $). However, AD DS does not properly enforce these constraints when users modify machine account names they control, allowing name spoofing attacks against privileged accounts like Domain Controllers.

Attack Vector

The attack requires network access to the domain environment and valid low-privilege domain credentials. The attack follows these stages:

The attacker authenticates to the domain with a standard user account
Using default permissions, the attacker creates a new machine account
The attacker modifies the sAMAccountName of the machine account to match a Domain Controller's name (minus the $ suffix)
The attacker requests a Kerberos TGT for the spoofed machine account
The attacker changes the machine account name back to something else
When requesting a service ticket, the KDC cannot find the original account and falls back to appending $, issuing a ticket for the actual Domain Controller
The attacker now possesses a valid service ticket for the Domain Controller, enabling privilege escalation to Domain Admin

This attack is commonly automated using tools that exploit both CVE-2021-42278 and CVE-2021-42287 together.

Detection Methods for CVE-2021-42278

Indicators of Compromise

Unusual machine account creation by non-administrative users
Rapid changes to sAMAccountName attributes on machine accounts
Machine accounts with names matching Domain Controllers (without trailing $)
Anomalous Kerberos ticket requests following machine account name changes
Event ID 4741 (computer account created) followed by Event ID 4742 (computer account changed) in quick succession

Detection Strategies

Monitor Windows Security Event Logs for Event ID 4741 (machine account creation) and Event ID 4742 (machine account modification)
Enable auditing of Directory Service Changes to track sAMAccountName attribute modifications
Alert on machine account names that resemble Domain Controller names
Deploy SentinelOne Singularity platform to detect post-exploitation behaviors associated with noPac attacks
Implement honeypot machine accounts with names similar to DCs to detect spoofing attempts

Monitoring Recommendations

Enable advanced audit policies for account management and directory service access
Configure SIEM rules to correlate machine account creation with subsequent name changes
Monitor for unusual Kerberos authentication patterns from newly created machine accounts
Track ms-DS-MachineAccountQuota usage per user to identify potential abuse
Deploy endpoint detection on Domain Controllers to identify suspicious authentication activity

How to Mitigate CVE-2021-42278

Immediate Actions Required

Apply Microsoft security patches immediately to all affected Windows Server systems
Set ms-DS-MachineAccountQuota to 0 to prevent standard users from creating machine accounts
Review and audit existing machine accounts for suspicious naming patterns
Enable enhanced logging for Active Directory changes
Implement SentinelOne endpoint protection on all Domain Controllers and critical servers

Patch Information

Microsoft released security patches for this vulnerability in the November 2021 Patch Tuesday release. Organizations should apply the patches available through Windows Update or download them directly from the Microsoft Security Advisory for CVE-2021-42278. Given that this vulnerability is listed in the CISA Known Exploited Vulnerabilities catalog, federal agencies and critical infrastructure organizations should prioritize remediation.

Workarounds

Set ms-DS-MachineAccountQuota to 0 at the domain level to prevent non-admin users from creating machine accounts
Implement strict monitoring and alerting for any machine account creation or modification events
Apply the principle of least privilege by removing unnecessary permissions from user accounts
Consider implementing tiered administration models to limit exposure of privileged credentials
Use Group Policy to restrict which users can join computers to the domain

bash

# PowerShell command to set MachineAccountQuota to 0
Set-ADDomain -Identity "DC=yourdomain,DC=com" -Replace @{"ms-DS-MachineAccountQuota"="0"}

# Verify the change
Get-ADObject -Identity ((Get-ADDomain).distinguishedname) -Properties ms-DS-MachineAccountQuota | Select-Object ms-DS-MachineAccountQuota

CVE-2021-42278 Overview

Critical Impact
This vulnerability is actively exploited in the wild and is listed in CISA's Known Exploited Vulnerabilities catalog. Successful exploitation allows authenticated attackers to escalate privileges to Domain Admin, potentially compromising the entire Active Directory environment.

Affected Products

Microsoft Windows Server 2004
Microsoft Windows Server 2008 (SP2 and R2 SP1)
Microsoft Windows Server 2012 (and R2)
Microsoft Windows Server 2016
Microsoft Windows Server 2019
Microsoft Windows Server 2022
Microsoft Windows Server 20H2

Discovery Timeline

2021-11-10 - CVE-2021-42278 published to NVD
2025-10-30 - Last updated in NVD database

Technical Details for CVE-2021-42278

Vulnerability Analysis

Root Cause

Attack Vector

The attack requires network access to the domain environment and valid low-privilege domain credentials. The attack follows these stages:

The attacker authenticates to the domain with a standard user account
Using default permissions, the attacker creates a new machine account
The attacker modifies the sAMAccountName of the machine account to match a Domain Controller's name (minus the $ suffix)
The attacker requests a Kerberos TGT for the spoofed machine account
The attacker changes the machine account name back to something else
When requesting a service ticket, the KDC cannot find the original account and falls back to appending $, issuing a ticket for the actual Domain Controller
The attacker now possesses a valid service ticket for the Domain Controller, enabling privilege escalation to Domain Admin

This attack is commonly automated using tools that exploit both CVE-2021-42278 and CVE-2021-42287 together.

Detection Methods for CVE-2021-42278

Indicators of Compromise

Unusual machine account creation by non-administrative users
Rapid changes to sAMAccountName attributes on machine accounts
Machine accounts with names matching Domain Controllers (without trailing $)
Anomalous Kerberos ticket requests following machine account name changes
Event ID 4741 (computer account created) followed by Event ID 4742 (computer account changed) in quick succession

Detection Strategies

Monitor Windows Security Event Logs for Event ID 4741 (machine account creation) and Event ID 4742 (machine account modification)
Enable auditing of Directory Service Changes to track sAMAccountName attribute modifications
Alert on machine account names that resemble Domain Controller names
Deploy SentinelOne Singularity platform to detect post-exploitation behaviors associated with noPac attacks
Implement honeypot machine accounts with names similar to DCs to detect spoofing attempts

Monitoring Recommendations

Enable advanced audit policies for account management and directory service access
Configure SIEM rules to correlate machine account creation with subsequent name changes
Monitor for unusual Kerberos authentication patterns from newly created machine accounts
Track ms-DS-MachineAccountQuota usage per user to identify potential abuse
Deploy endpoint detection on Domain Controllers to identify suspicious authentication activity

How to Mitigate CVE-2021-42278

Immediate Actions Required

Apply Microsoft security patches immediately to all affected Windows Server systems
Set ms-DS-MachineAccountQuota to 0 to prevent standard users from creating machine accounts
Review and audit existing machine accounts for suspicious naming patterns
Enable enhanced logging for Active Directory changes
Implement SentinelOne endpoint protection on all Domain Controllers and critical servers

Patch Information

Workarounds

Set ms-DS-MachineAccountQuota to 0 at the domain level to prevent non-admin users from creating machine accounts
Implement strict monitoring and alerting for any machine account creation or modification events
Apply the principle of least privilege by removing unnecessary permissions from user accounts
Consider implementing tiered administration models to limit exposure of privileged credentials
Use Group Policy to restrict which users can join computers to the domain

bash

# PowerShell command to set MachineAccountQuota to 0
Set-ADDomain -Identity "DC=yourdomain,DC=com" -Replace @{"ms-DS-MachineAccountQuota"="0"}

# Verify the change
Get-ADObject -Identity ((Get-ADDomain).distinguishedname) -Properties ms-DS-MachineAccountQuota | Select-Object ms-DS-MachineAccountQuota

CVE-2021-42278: Windows Server Privilege Escalation Flaw

CVE-2021-42278 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2021-42278

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2021-42278

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2021-42278

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2021-42278: Windows Server Privilege Escalation Flaw

CVE-2021-42278 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2021-42278

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2021-42278

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2021-42278

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform