Appearance
The Mimikatz Missing Manual
Welcome to the Mimikatz Missing Manual.
This project is the culmination of years of technical research and specialized training material originally developed for private classes at security conferences. For a long time, this information was only shared behind closed doors. Today, I am making it public to the community.
Behind the Scenes
This manual wasn't written in a vacuum. Much of the technical depth and internal logic documented here was refined with the direct help and insight of Benjamin Delpy, the author of Mimikatz.
My goal was to create the "Missing Manual"—the documentation that explains not just the commands, but the why and the how of the Windows protocols being manipulated.
What to Expect
This manual is divided into seven logical parts:
- Foundations: Setting up your environment and the basic syntax.
- System Internals: How Windows handles tokens, processes, and services.
- LSASS & Credentials: The heart of Mimikatz—extracting secrets from memory.
- Kerberos Deep Dive: Tickets, forgery, and delegation.
- PKI & Certificates: Hardware and software-based identities.
- Domain Persistence: Owning the directory through replication.
- DPAPI: Unlocking the secrets at rest.
How to Use This Manual
- For the Red Team: Every chapter includes command references and operational tradecraft to keep you effective.
- For the Blue Team: I have included detection strategies and event log signatures for every major attack.
- For the Curious: This is a deep dive into the guts of the Windows Security Authority.
Getting Started
If you are new to the tool, start with Part I: Foundations. If you are looking for specific Kerberos or Domain attacks, use the navigation menu at the top or the search bar in the top right.
Enjoy the master class.
— Carlos Perez