← LibraryTechnique entry
AD-UNPACCredential Access
UnPAC-the-Hash
From a cert-based PKINIT TGT, extract the user's NT hash via the PAC_CREDENTIAL_INFO field.
§ Where this technique fits
AD-UNPAC is catalogued under the Credential Access tactic of the offensive-security kill-chain. It appears in 2 approved dossiers in the registry, typically at step 4.5 on average.
§ Dossiers chaining this technique
- step 4 / 5
Shadow Credentials → PKINIT → NT hash
Where GenericWrite is held over a target, write a fake KeyCredentialLink (whfb-like) and authenticate via PKINIT to recover the target's NT hash.
- step 5 / 6
ADCS ESC11 → certificate via RPC (no web enrollment)
When the CA's ICertPassage RPC interface allows NTLM without signing, relay any coerced auth directly to RPC and obtain a cert — bypasses HTTP-only mitigations.
§ What commonly comes next
- 01DCSyncseen 1×T1003.006 · Credential Access
- 02Pass the Hashseen 1×T1550.002 · Lateral Movement