noPac / sAMAccountName spoofing → Domain Admin

§ Context

Assumed environment: a low-priv domain user with rights to create machine accounts (default ms-DS-MachineAccountQuota = 10) and an unpatched DC.

§ Steps

1. 01
   Low-priv domain userInitial Access

   T1078— Valid Accounts
2. 02
   Create machine accountPersistence

   T1136— Create Account

   addcomputer.py — MachineAccountQuota allows any user.

3. 03
   Request TGT as fake DCCredential Access

   T1558— Steal or Forge Kerberos Tickets

   getTGT.py — Kerberos pre-auth succeeds with the spoofed name.

4. 04
   S4U2self → cifs/DC ticket as DAPrivilege Escalation

   AD-NOPAC— sAMAccountName Spoofing — noPac (CVE-2021-42278/42287)

   getST.py -self -impersonate Administrator -spn cifs/<DC>

5. 05
   Rename machine backPrivilege Escalation

   AD-NOPAC— sAMAccountName Spoofing — noPac (CVE-2021-42278/42287)

   Forces the KDC to fall back to <DCname>$ when looking up the principal.

6. 06
   Rename computer to DC's sAMAccountName (no $)Privilege Escalation

   AD-NOPAC— sAMAccountName Spoofing — noPac (CVE-2021-42278/42287)
7. 07
   DCSync as AdministratorCredential Access

   T1003.006— DCSync

§ References

• T1078Valid Accounts
• T1136Create Account
• T1558Steal or Forge Kerberos Tickets
• T1003.006DCSync

§ Frequently asked

What is the "noPac / sAMAccountName spoofing → Domain Admin" attack path?

Combine CVE-2021-42278 (sAMAccountName validation) and CVE-2021-42287 (PAC confusion) to impersonate a DC as a low-priv user. It chains 7 steps drawn from real-world offensive-security techniques.

What starting position does this attack require?

The first step is Low-priv domain user (T1078) — a initial access primitive. Assumed environment: a low-priv domain user with rights to create machine accounts (default ms-DS-MachineAccountQuota = 10) and an unpatched DC.

What is the final impact of this kill-chain?

The final step lands on DCSync as Administrator (T1003.006), which falls under Credential Access. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

§ Related dossiers

• Shared techniques3

  Cross-trust attack: child → parent forest via SID History

  Forge an inter-realm TGT using a child domain's krbtgt and inject Enterprise Admins SID into SID History to traverse a non-quarantined trust.

• Shared techniques2

  mitm6 IPv6 SLAAC → NTLM relay → DA

  Even when IPv4 is hardened, Windows clients prefer IPv6 with default DHCPv6. mitm6 makes the attacker the IPv6 DNS server, advertises wpad, and relays the captured NTLM to LDAPS for RBCD.

• Shared techniques2

  RBCD abuse → SYSTEM on a domain host

  A user with GenericAll/GenericWrite on a computer object writes msDS-AllowedToActOnBehalfOfOtherIdentity, then uses S4U2self/S4U2proxy to impersonate any user (including Administrator) on that host.

• Shared techniques2

  Unconstrained delegation → Capture DC TGT → DCSync

  Compromise a host with TRUSTED_FOR_DELEGATION, coerce a DC to authenticate to it, harvest the DC's TGT from its LSASS, then DCSync.

• Shared techniques2

  PetitPotam + ADCS ESC8 → Domain Controller takeover

  Coerce a DC's machine account to authenticate to the attacker, relay that NTLM to the ADCS HTTP web-enrollment endpoint, and obtain a DC certificate for full domain compromise.

• Shared techniques2

  GenericWrite on Domain Admins → AddMember → DA

  A misconfigured 'member' attribute write on a privileged group lets the attacker silently add themselves as a Domain Admin.