From a normal account to domain admin (noPac)
A pair of Active Directory bugs let any user who can join machines rename a computer account to impersonate a domain controller and request its tickets. Here is noPac, and the patch and config that stop it.
The default that lets any user join ten machines to the domain is also the default that lets them become it.
What it is
noPac chains CVE-2021-42278 and CVE-2021-42287. A user able to join computers to the domain (the default MachineAccountQuota lets anyone join ten) creates a computer account, renames its sAMAccountName to match a domain controller, requests Kerberos tickets, and ends up able to impersonate the DC, leading to DCSync and domain compromise. This is T1078 (valid accounts) into T1558 (Kerberos ticket abuse).
Why it works
It abuses default settings (a nonzero MachineAccountQuota) and unpatched domain controllers, turning an ordinary account into domain admin in minutes.
How to detect it
Look for computer-account creation followed by a sAMAccountName change to a DC-like name, and unusual TGS requests; Events 4741 and 4781 alongside Kerberos anomalies.
The fix that holds
Patch the two CVEs, set MachineAccountQuota to 0 so ordinary users cannot join machines, monitor computer-account renames, and restrict who can create computer objects.
Practice it
We built a noPac scenario in GraphLattice Range so teams learn the chain and the two settings that shut it down.