I gave a talk recently at BSides Iowa and now that my talk is finished I wanted to get back to blogging.  There were a number of topics in my talk and a number of them have yet to be written about.  One of those topics is about the recent changes in Lsass.  Basically, Microsoft has restricted our ability to use Mimikatz to dump Lsass. 

What is Lsass? 

Local Security Authority Subsystem Service (Lsass.exe) is the process on an Active Directory domain controller. It's responsible for providing Active Directory database lookups, authentication, and replication.

To summarize that into something meaningful, Lsass contains usernames, passwords, and hashes. 

"A service principal name (SPN) is a unique identifier of a service instance. SPNs are used by Kerberos authentication to associate a service instance with a service logon account. This allows a client application to request that the service authenticate an account even if the client does not have the account name."

I have to be honest, in my many years as an administrator, I've never had to set this up.  Though as a penetration tester, I like to understand both sides of what's going on.  I've used GetUserSPNs a few times but the question that I've asked myself is -- how did this happen?

I've been noodling around with C# and I came up with an idea.  When we compile an executable, we get that generic application icon.  With a simple flag, we can add an icon -- I thought the PDF icon would be interesting for obvious reasons.  Let's start with something simple, we're just going to compile this C# that pops open notepad.