AD-NOPACPrivilege Escalation

sAMAccountName Spoofing — noPac (CVE-2021-42278/42287)

Rename a low-priv computer account to a DC's name, request a TGS as it, then S4U2self to DA.

§ Where this technique fits

AD-NOPAC is catalogued under the Privilege Escalation tactic of the offensive-security kill-chain. It appears in 1 approved dossier in the registry, typically at step 3 on average.

§ Dossiers chaining this technique

noPac / sAMAccountName spoofing → Domain Admin
Combine CVE-2021-42278 (sAMAccountName validation) and CVE-2021-42287 (PAC confusion) to impersonate a DC as a low-priv user.
step 3 / 7

§ What commonly comes next

01
DCSync
T1003.006 · Credential Access
seen 1×
02
Steal or Forge Kerberos Tickets
T1558 · Credential Access
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

noPac / sAMAccountName spoofing → Domain Admin

§ What commonly comes next