Shadow Principals (PAM)

Theory

When a Bastion Forest is compromised, there are multiple ways to obtain persistence on the forest it manages (i.e. called "Production Forest" here).

Mark a low-privilege user from the Production Forest as an Shadow Security Principal in the Bastion Forest
Modify a Shadow Principal Object's DACL: add ACEs over a Shadow Principal Object (at least Read Members and Write Members) allowing a controlled user add and remove principals at will (in the member attribute.

Resources

https://www.labofapenetrationtester.com/2019/04/abusing-PAM.html

https://posts.specterops.io/not-a-security-boundary-breaking-forest-trusts-cd125829518d

Reconnaissance

Movement

Credentials

Dumping

Bruteforcing

MITM and coerced auths

NTLM

Kerberos

Forged tickets

Delegations

DACL abuse

Netlogon

Certificate Services (AD-CS)

SCCM / MECM

Exchange services

Print Spooler Service

Schannel

Built-ins & settings

Kerberos

Certificate Services (AD-CS)

HTTP security headers

Identity and Access Management

File inclusion

LFI to RCE

Initial access (protocols)

Windows

UNIX-like

(AV) Anti-Virus

Mifare Classic

Android

Shadow Principals (PAM)

Theory

Resources

Dumping

Bruteforcing

MITM and coerced auths

NTLM

Kerberos

Forged tickets

Delegations

DACL abuse

Certificate Services (AD-CS)

SCCM / MECM

Certificate Services (AD-CS)

HTTP security headers

File inclusion

LFI to RCE

Windows

UNIX-like

Mifare Classic

Shadow Principals (PAM) ​

Theory ​

Resources ​

Shadow Principals (PAM)

Theory

Resources