The definitive guide to Windows Identity, Kerberos, and PKI Research.
Originally developed as a private, high-end training curriculum for security conferences, this material is now being released to the public. Much of the technical depth and internal logic documented here was refined with the direct help and insight of Benjamin Delpy, the author of Mimikatz.
This project transitions years of instructor-led material into a self-paced, deep-dive manual. It explains not just the commands, but the why and the how of the Windows protocols being manipulated.
It is designed for:
- Red Teams: Detailed command references and operational tradecraft.
- Blue Teams: Detection strategies, event log signatures, and mitigation guides.
- Security Researchers: A master class in Windows Security Authority (LSA) internals.
You can access the online version of the manual at Github Page
The manual is organized into seven logical parts:
- Foundations: Setup, architecture, and basic modules.
- System Internals: Tokens, processes, services, and RPC.
- LSASS & Credentials: Dumping secrets, patching memory, and kernel-level access.
- Kerberos Deep Dive: Tickets, forgery, roasting, and delegation.
- PKI & Certificates: Hardware (Smart Cards) and software-based identity abuse.
- Domain Persistence: DCSync, NetSync, and the DCShadow rogue DC attack.
- DPAPI: Unlocking data at rest, master keys, and backup keys.
The manual is best viewed as a GitHub Pages site.
If you are running it locally:
- Install the requirements:
pip install mkdocs-material - Serve the site:
mkdocs serve - Navigate to
http://localhost:8000
This material is provided for educational and authorized security testing purposes only. Unauthorized access to computer systems is illegal. Always ensure you have explicit permission before conducting security assessments.
— Carlos Perez (DarkOperator)
