Mimikatz Missing Manual

Appearance

Chapter 45: References and Resources

Introduction

No manual can ever be truly complete in a field that moves as fast as Windows security. The tradecraft we’ve discussed in this book is built on the shoulders of giants—researchers who have spent thousands of hours reverse-engineering protocols, documenting APIs, and finding the subtle flaws that make these attacks possible. This final chapter is a curated collection of the resources that I rely on to stay sharp.

In my experience, the difference between a technician and an expert is the ability to go back to the source material. Whether you’re debugging an RPC call that keeps failing or you’re trying to build a custom detection for a new variant of a Golden Ticket, the links and references below are where you’ll find the answers. We’ve organized them by category: from official Microsoft protocol specifications to the foundational research of the community.

Stay curious, stay rigorous, and always assume that the worst has already happened. The tools change, but the fundamentals of identity and trust remain the same.

Official Documentation and Microsoft Resources

Windows Security Architecture

  • Windows Authentication Architecture: The official map of how Windows handles identities. Link
  • Credentials Protection: Microsoft’s guide to modern mitigations like Credential Guard. Link

Protocol Specifications ([MS-Project])

  • [MS-KILE]: The definitive guide to Kerberos Protocol Extensions. Link
  • [MS-NLMP]: The NTLM Authentication Protocol specification. Link
  • [MS-DRSR]: Directory Replication Service—the foundation of DCSync and DCShadow. Link
  • [MS-NRPC]: Netlogon Remote Protocol—the foundation of NetSync. Link

DPAPI and PKI

  • CryptProtectData API: The developer’s entry point into DPAPI. Link
  • AD CS Documentation: How to install and manage Certificate Services. Link

Community Research and Essential Resources

Foundational Blogs

  • ADSecurity.org (Sean Metcalf): If you only read one blog on AD security, make it this one. It is the gold standard for Kerberos and AD CS research. Link
  • Gentil Kiwi (Benjamin Delpy): The home of Mimikatz. Benjamin’s blog contains technical deep-dives into the very features he exploited. Link
  • Harmj0y (Will Schroeder): Essential reading for offensive PowerShell, PowerView, and BloodHound research. Link
  • SpecterOps Posts: High-level strategic research on attack paths and the "Certified Pre-Owned" whitepaper. Link

Attack Frameworks

  • MITRE ATT&CK: The industry standard for mapping attacker behavior. Link
  • Sigma Rules: Community-driven detection rules that cover almost every attack in this book. Link

Practical Tools and Scripts

Offensive Toolkits

  • Mimikatz GitHub: The source of truth for the tool. Link
  • Kekeo GitHub: Specialized Kerberos manipulation. Link
  • Rubeus: The premier C# toolkit for Kerberos abuse. Link
  • Impacket: A collection of Python classes for working with network protocols. Link

Defensive and Auditing Tools

  • BloodHound: The must-have tool for visualizing Active Directory attack paths. Link
  • Ping Castle: An excellent AD security auditor that identifies misconfigurations in minutes. Link
  • Purple Knight: A free tool for assessing your AD security posture against known TTPs. Link

Appendix A: Event ID Quick Reference

Event IDCategoryMeaning
4624LogonSuccessful logon (Type 3 = Network, Type 9 = New Credentials)
4648LogonExplicit credential logon (fired by sekurlsa::pth)
4662Object AccessDirectory Service access (DCSync/DCShadow detection)
4768KerberosTGT Requested (PreAuth 2 = Password, 16 = Certificate)
4769KerberosService Ticket Requested (The target for Kerberoasting)
4724Account MgmtAn administrative password reset (fired by setntlm)
4742Account MgmtComputer account changed (Look for rogue SPNs)
4887CertificatesCertificate issued by the CA

Appendix B: Network Ports for AD Operations

  • 88: Kerberos (TCP/UDP)
  • 389 / 636: LDAP / LDAPS
  • 135: RPC Endpoint Mapper
  • 445: SMB / CIFS
  • 464: Kerberos Password Change
  • 3268 / 3269: Global Catalog

Summary

This book has been a journey through the internals of Windows identity. We’ve looked at how secrets are stored, how they’re moved, and how they’re protected. But the most important takeaway is this: security is a process, not a state. The researchers listed in this chapter are constantly finding new ways to challenge the status quo, and your job is to keep up with them.

Use these resources to build your own labs, test your own detections, and refine your own tradecraft. The field needs professionals who are as comfortable in the debugger as they are in the meeting room.

Good luck out there.

Previous: Chapter 44: DPAPI Module