CVE-2021-42287 Overview
CVE-2021-42287 is a critical Elevation of Privilege vulnerability affecting Microsoft Active Directory Domain Services (AD DS). This vulnerability allows an authenticated attacker with low privileges to escalate their permissions to Domain Administrator level by exploiting a flaw in the Kerberos Privilege Attribute Certificate (PAC) validation process. The vulnerability is particularly dangerous when combined with CVE-2021-42278 (sAMAccountName Spoofing), enabling a complete domain takeover attack chain commonly known as "noPac" or "sAMAccountName Spoofing."
Critical Impact
This vulnerability enables authenticated users to escalate privileges to Domain Administrator, potentially leading to complete Active Directory domain compromise. CISA has added this vulnerability to its Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild.
Affected Products
- Microsoft Windows Server 2008 SP2 and R2 SP1
- Microsoft Windows Server 2012 and R2
- Microsoft Windows Server 2016
- Microsoft Windows Server 2019
- Microsoft Windows Server 2022
Discovery Timeline
- 2021-11-10 - CVE-2021-42287 published to NVD
- 2025-10-30 - Last updated in NVD database
Technical Details for CVE-2021-42287
Vulnerability Analysis
The vulnerability resides in how Active Directory Domain Services handles Kerberos authentication and the Privilege Attribute Certificate (PAC) during the Ticket Granting Service (TGS) request process. When a Key Distribution Center (KDC) receives a TGS request for a service ticket, it must locate the account associated with the requesting ticket. If the KDC cannot find the account specified in the TGS request, it attempts to add a trailing dollar sign ($) to the account name and searches again, assuming the requestor might be a machine account.
This behavior becomes exploitable when an attacker creates a machine account (which standard domain users can do by default), renames it to match a Domain Controller's sAMAccountName (without the trailing $), requests a Ticket Granting Ticket (TGT), and then renames the account again. When the attacker subsequently requests a service ticket using the TGT, the KDC fails to find the original account, appends the $ character, and inadvertently issues a ticket with the privileges of the Domain Controller—effectively granting Domain Administrator access.
Root Cause
The root cause of CVE-2021-42287 lies in insufficient validation within the Kerberos PAC handling logic. The KDC's fallback mechanism of appending a dollar sign to account names when the original account cannot be found creates an authentication bypass condition. This design flaw, combined with the default ability for authenticated users to create machine accounts and the lack of proper binding between the TGT and the current state of the account, enables the privilege escalation attack.
Attack Vector
The attack is network-based and requires only low-level authenticated access to the domain. An attacker can exploit this vulnerability remotely without any user interaction. The attack sequence involves:
- The attacker creates a new machine account using default domain permissions
- The attacker changes the machine account's sAMAccountName attribute to match a Domain Controller name (minus the trailing $)
- A TGT is requested for this spoofed account
- The attacker reverts the sAMAccountName to its original value
- Using the obtained TGT, the attacker requests a service ticket (S4U2self)
- The KDC, unable to find the account, appends $ and issues a ticket with Domain Controller privileges
This attack chain requires no specialized tools beyond standard Kerberos utilities and can be executed rapidly once an attacker has any authenticated foothold in the domain.
Detection Methods for CVE-2021-42287
Indicators of Compromise
- Unusual machine account creation activity from non-administrative users
- Rapid succession of sAMAccountName attribute modifications on computer objects
- TGT requests immediately followed by account rename operations
- S4U2self service ticket requests from accounts that were recently modified
- Event ID 4741 (computer account creation) followed closely by Event ID 4742 (computer account modification)
Detection Strategies
- Monitor for Event ID 4781 (account name changes) on Domain Controllers, particularly for machine accounts
- Implement alerts for Event ID 4769 (Kerberos Service Ticket Operations) where the service name matches a Domain Controller but the requestor is unexpected
- Track machine account creation (Event ID 4741) and correlate with subsequent privilege escalation indicators
- Deploy detection rules for rapid sequences of account creation, modification, and Kerberos ticket requests within short timeframes
Monitoring Recommendations
- Enable Advanced Audit Policy for DS Access and Account Management on all Domain Controllers
- Configure SIEM rules to correlate machine account lifecycle events with Kerberos authentication events
- Monitor for tools commonly associated with this attack such as Rubeus, noPac.exe, and Impacket script signatures
- Implement baseline monitoring for normal machine account creation patterns to identify anomalies
How to Mitigate CVE-2021-42287
Immediate Actions Required
- Apply the Microsoft security update KB5008380 (or later cumulative updates) to all Domain Controllers immediately
- Audit and reduce the ms-DS-MachineAccountQuota attribute value from the default of 10 to 0 to prevent standard users from creating machine accounts
- Review existing machine accounts for suspicious naming patterns or recent modifications
- Enable Protected Users security group membership for high-privilege accounts
- Verify that all Domain Controllers have been patched before removing any compensating controls
Patch Information
Microsoft released patches addressing CVE-2021-42287 as part of the November 2021 security updates. The fix modifies how the KDC validates PAC information during TGS requests, ensuring proper account binding throughout the authentication process. Organizations should refer to the Microsoft Security Advisory CVE-2021-42287 for detailed patch information. This vulnerability is tracked in the CISA Known Exploited Vulnerabilities Catalog, which mandates federal agencies to apply remediation.
Workarounds
- Set ms-DS-MachineAccountQuota to 0 to prevent standard users from creating machine accounts, reducing the attack surface
- Implement strict monitoring and alerting for any machine account modifications pending patch deployment
- Consider enabling audit mode for the PAC validation changes before full enforcement to identify potential compatibility issues
- Restrict delegation settings and review existing Kerberos delegation configurations across the domain
# PowerShell: Set MachineAccountQuota to 0 to prevent unprivileged machine account creation
Set-ADDomain -Identity "DC=domain,DC=com" -Replace @{"ms-DS-MachineAccountQuota"="0"}
# PowerShell: Query current MachineAccountQuota value
Get-ADObject -Identity ((Get-ADDomain).distinguishedname) -Properties ms-DS-MachineAccountQuota
# PowerShell: Find recently modified machine accounts (last 7 days)
Get-ADComputer -Filter * -Properties whenChanged | Where-Object {$_.whenChanged -gt (Get-Date).AddDays(-7)} | Select-Object Name, whenChanged
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
