# Global Arguments ```ps1 $ bloodyAD -h usage: bloodyAD [-h] [-d DOMAIN] [-u USERNAME] [-p PASSWORD] [-k [KERBEROS ...]] [-f {b64,hex,aes,rc4,default}] [-c [CERTIFICATE]] [-s] -H HOST [-i DC_IP] [--dns DNS] [-t TIMEOUT] [--gc] [-v {QUIET,INFO,DEBUG,TRACE}] [--json] {add,get,msldap,remove,set} ... AD Privesc Swiss Army Knife options: -h, --help show this help message and exit -d DOMAIN, --domain DOMAIN Domain used for NTLM authentication -u USERNAME, --username USERNAME Username used for NTLM authentication -p PASSWORD, --password PASSWORD password or LMHASH:NTHASH for NTLM authentication, password or AES/RC4 key for kerberos, password for certificate (Do not specify to trigger integrated windows authentication) -k [KERBEROS ...], --kerberos [KERBEROS ...] Enable Kerberos authentication. If '-p' is provided it will try to query a TGT with it. You can also provide a list of one or more optional keywords as '-k kdc=192.168.100.1 kdcc=192.168.150.1 realmc=foreign.realm.corp =/home/silver/Admin.ccache', being ccache, kirbi or keytab, 'kdc' being the kerberos server for the keyfile provided and 'realmc' and 'kdcc' for cross realm (the realm of the '--host' provided) -f {b64,hex,aes,rc4,default}, --format {b64,hex,aes,rc4,default} Specify format for '--password' or '-k ' -c [CERTIFICATE], --certificate [CERTIFICATE] Schannel authentication or krb pkinit if -k also provided, e.g: "path/to/key:path/to/cert" (Use Windows Certstore with krb if left empty) -s, --secure Use LDAP/GC over TLS (LDAPS/GCS). Use -ss to remove all encryption/signing (useful for debug). -H HOST, --host HOST Hostname or IP of the DC (ex: my.dc.local or 172.16.1.3) -i DC_IP, --dc-ip DC_IP IP of the DC (useful if you provided a --host which can't resolve) --dns DNS IP of the DNS to resolve AD names (useful for inter- domain functions) -t TIMEOUT, --timeout TIMEOUT Connection timeout in seconds --gc Connect to Global Catalog (GC) -v {QUIET,INFO,DEBUG,TRACE}, --verbose {QUIET,INFO,DEBUG,TRACE} Adjust output verbosity --json Output results in JSON format Commands: {add,get,msldap,remove,set} add [ADD] function category get [GET] function category msldap [MSLDAP] function category remove [REMOVE] function category set [SET] function category ``` # Commands Arguments ## add Commands ```ps1 $ bloodyAD -H 10.10.10.10 -d bloody -u admin -p pass add -h usage: bloodyAD add [-h] {badSuccessor,computer,dcsync,dnsRecord,genericAll,groupMember,rbcd,shadowCredentials,uac,user} ... options: -h, --help show this help message and exit add commands: {badSuccessor,computer,dcsync,dnsRecord,genericAll,groupMember,rbcd,shadowCredentials,uac,user} badSuccessor Add a new DMSA (Dedicated Managed Service Account) object computer Add new computer dcsync Add DCSync right on domain to provided trustee (Requires to own or to have WriteDacl on domain object) dnsRecord This function adds a new DNS record into an AD environment. genericAll Give full control to trustee on target and descendants (you must own the object or have WriteDacl) groupMember Add a new member (user, group, computer) to group rbcd Add Resource Based Constraint Delegation for service on target, used to impersonate a user on target with service (Requires "Write" permission on target's msDS- AllowedToActOnBehalfOfOtherIdentity and Windows Server >= 2012) shadowCredentials Add Key Credentials to target (try to find a suitable DC if provided DC is below Win2016), and use those credentials to retrieve a TGT and a NT hash using PKINIT. uac Add property flags altering user/computer object behavior user Add a new user ``` ### add badSuccessor ```ps1 $ bloodyAD -H 10.10.10.10 -d bloody -u admin -p pass add badSuccessor -h usage: bloodyAD add badSuccessor [-h] [-t T] [--ou OU] dmsa positional arguments: dmsa hostname of the DMSA object (no need to add '$') options: -h, --help show this help message and exit -t T Distinguished Name of the target whose privileges are to be assumed (can be called multiple times, e.g. "-t CN=Admin,CN=Users,DC=domain,DC=com -t CN=John,CN=Users,DC=domain,DC=com") (default: ['CN=Administrator,CN=Users,DC=Current,DC=Domain']) --ou OU Organizational Unit for the DMSA object. If not provided, chooses the first OU the logged user can add child to. (default: None) ``` ### add computer ```ps1 $ bloodyAD -H 10.10.10.10 -d bloody -u admin -p pass add computer -h usage: bloodyAD add computer [-h] [--ou OU] [--lifetime LIFETIME] hostname newpass positional arguments: hostname computer name (without trailing $) newpass password for computer options: -h, --help show this help message and exit --ou OU Organizational Unit for computer (default: DefaultOU) --lifetime LIFETIME lifetime of new computer in seconds, if non-zero creates it as a dynamic object (default: 0) ``` > [!TIP] > Make sure to provide the domain FQDN as domain global argument `-d bloody.lab` or you will run into an issue as `problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 9026b (dNSHostName)` ### add dcsync ```ps1 $ bloodyAD -H 10.10.10.10 -d bloody -u admin -p pass add dcsync -h usage: bloodyAD add dcsync [-h] trustee positional arguments: trustee sAMAccountName, DN or SID of the trustee options: -h, --help show this help message and exit ``` ### add dnsRecord ```ps1 $ bloodyAD -H 10.10.10.10 -d bloody -u admin -p pass add dnsRecord -h usage: bloodyAD add dnsRecord [-h] [--dnstype {A,AAAA,CNAME,MX,PTR,SRV,TXT}] [--zone ZONE] [--ttl TTL] [--preference PREFERENCE] [--port PORT] [--priority PRIORITY] [--weight WEIGHT] [--forest] name data positional arguments: name name of the dnsNode object (hostname) which will contain the new record data DNS record data, for most record types this will be the destination hostname or IP address, for TXT records this can be used for text options: -h, --help show this help message and exit --dnstype {A,AAAA,CNAME,MX,PTR,SRV,TXT} DNS record type (default: A) --zone ZONE DNS zone (default: CurrentDomain) --ttl TTL DNS record TTL, time in seconds the record stays in DNS caches, must be low if you want to propagate record updates quickly (default: 300) --preference PREFERENCE DNS MX record preference, must be lower than the concurrent records to be chosen (default: 10) --port PORT listening port of the service in a DNS SRV record (default: None) --priority PRIORITY priority of a DNS SRV record against concurrent, must be lower to be chosen, if identical to others, highest weight will be chosen (default: 10) --weight WEIGHT weight of a DNS SRV record against concurrent, must be higher with the lowest priority to be chosen (default: 60) --forest if set, registers dns record in forest instead of domain (default: False) ``` Simplest usage: ```ps1 $ bloodyAD --host 10.1.0.4 -u bloodyAdmin -p 'Password123!' -d bloody add dnsRecord test.bloody.local 8.8.8.8 ``` ### add genericAll ```ps1 $ bloodyAD -H 10.10.10.10 -d bloody -u admin -p pass add genericAll -h usage: bloodyAD add genericAll [-h] target trustee positional arguments: target sAMAccountName, DN or SID of the target trustee sAMAccountName, DN or SID of the trustee which will have full control on target options: -h, --help show this help message and exit ``` ### add groupMember ```ps1 $ bloodyAD -H 10.10.10.10 -d bloody -u admin -p pass add groupMember -h usage: bloodyAD add groupMember [-h] group member positional arguments: group sAMAccountName, DN or SID of the group member sAMAccountName, DN or SID of the member options: -h, --help show this help message and exit ``` > [!NOTE] > Support Foreign Users ### add rbcd ```ps1 $ bloodyAD -H 10.10.10.10 -d bloody -u admin -p pass add rbcd -h usage: bloodyAD add rbcd [-h] target service positional arguments: target sAMAccountName, DN or SID of the target service sAMAccountName, DN or SID of the service account options: -h, --help show this help message and exit ``` ### add shadowCredentials ```ps1 $ bloodyAD -H 10.10.10.10 -d bloody -u admin -p pass add shadowCredentials -h usage: bloodyAD add shadowCredentials [-h] [--path PATH] target positional arguments: target sAMAccountName, DN or SID of the target options: -h, --help show this help message and exit --path PATH filepath for the generated credentials (TGT ccache or pfx if PKINIT fails) (default: CurrentPath) ``` > [!WARNING] > - DC must run at least Windows Server 2016 (msDS-KeyCredentialLink only available since 2016 AD Schema), to verify: > - query the RootDSE of the DC `get object ''` and verify domainControllerFunctionality is 7 or above > - or the nTDSDSA of the DC e.g.: `get object CN=NTDS Settings,CN=ALLMIGHTY,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=bloody,DC=lab --attr msDS-Behavior-Version` > - Be in a domain where the DC has AD CS enabled or a certificate authority set up in order for the PKINIT to work ### add uac ```ps1 $ bloodyAD -H 10.10.10.10 -d bloody -u admin -p pass add uac -h usage: bloodyAD add uac [-h] [-f F] target positional arguments: target sAMAccountName, DN or SID of the target options: -h, --help show this help message and exit -f F name of property flag to add, can be called multiple times if multiple flags to add (e.g -f DONT_REQ_PREAUTH -f DONT_EXPIRE_PASSWORD) (default: None) ``` ### add user ```ps1 $ bloodyAD -H 10.10.10.10 -d bloody -u admin -p pass add user -h usage: bloodyAD add user [-h] [--ou OU] [--lifetime LIFETIME] sAMAccountName newpass positional arguments: sAMAccountName sAMAccountName for new user newpass password for new user options: -h, --help show this help message and exit --ou OU Organizational Unit for new user (default: DefaultOU) --lifetime LIFETIME lifetime of new user in seconds, if non-zero creates it as a dynamic object (default: 0) ``` ## get Commands ```ps1 $ bloodyAD -H 10.10.10.10 -d bloody -u admin -p pass get -h usage: bloodyAD get [-h] {bloodhound,children,dnsDump,membership,object,search,trusts,writable} ... options: -h, --help show this help message and exit get commands: {bloodhound,children,dnsDump,membership,object,search,trusts,writable} bloodhound BloodHound CE collector (WARNING: This script is still in development. It only provides the basics - ADCS ESC and other complex nodes aren't supported yet) children List children for a given target object dnsDump Retrieve DNS records of the Active Directory readable/listable by the user membership Retrieve SID and SAM Account Names of all groups a target belongs to object Retrieve LDAP attributes for the target object provided, binary data will be outputted in base64 search Search in LDAP database, binary data will be outputted in base64 trusts Display trusts in an ascii tree starting from the DC domain as tree root. A->B means A can auth on B and A-B means bidirectional writable Retrieve objects writable by client ``` ### get bloodhound ```ps1 $ bloodyAD -H 10.10.10.10 -d bloody -u admin -p pass get bloodhound -h usage: bloodyAD get bloodhound [-h] [--transitive] [--path PATH] options: -h, --help show this help message and exit --transitive if set, will try to reach trusts to have more complete results (you should start from a dc of your user domain to have more complete results) (default: False) --path PATH filepath for the generated zip file (default: CurrentPath) ``` ### get children List children for a given target object: ```ps1 $ bloodyAD -H 10.10.10.10 -d bloody -u admin -p pass get children -h usage: bloodyAD get children [-h] [--target TARGET] [--otype OTYPE] [--direct] options: -h, --help show this help message and exit --target TARGET sAMAccountName, DN or SID of the target (default: DOMAIN) --otype OTYPE special keyword "useronly" or objectClass of objects to fetch e.g. user, computer, group, trustedDomain, organizationalUnit, container, groupPolicyContainer, msDS- GroupManagedServiceAccount, etc (default: *) --direct Fetch only direct children of target (default: False) ``` ### get dnsDump Retrieve DNS records of the Active Directory readable/listable by the user: ```ps1 $ bloodyAD -H 10.10.10.10 -d bloody -u admin -p pass get dnsDump -h usage: bloodyAD get dnsDump [-h] [--zone ZONE] [--no-detail] [--transitive] options: -h, --help show this help message and exit --zone ZONE if set, prints only records in this zone (default: None) --no-detail if set doesn't include system records such as _ldap, _kerberos, @, etc (default: False) --transitive if set, try to fetch dns records in AD trusts (you should start from a DC of your user domain to have exhaustive results) (default: False) ``` `--zone` can be used e.g. to display only our domain zone `--zone bloody.local` ### get membership Retrieve SID and SAM Account Names of all groups a target belongs to: ```ps1 $ bloodyAD -H 10.10.10.10 -d bloody -u admin -p pass get membership -h usage: bloodyAD get membership [-h] [--no-recurse] target positional arguments: target sAMAccountName, DN or SID of the target options: -h, --help show this help message and exit --no-recurse if set, doesn't retrieve groups where target isn't a direct member (default: False) ``` If `--no-recurse` is set, and our target `john` belongs to a group `printer admins` which belongs to `Domain Admins`, `Domain Admins` will not be displayed in the result. ### get object Retrieve LDAP attributes for the target object provided, binary data will be outputted in base64: ```ps1 $ bloodyAD -H 10.10.10.10 -d bloody -u admin -p pass get object -h usage: bloodyAD get object [-h] [--attr ATTR] [--resolve-sd] [--raw] [--transitive] target positional arguments: target sAMAccountName, DN or SID of the target (if you give an empty string "" prints rootDSE) options: -h, --help show this help message and exit --attr ATTR attributes to retrieve separated by a comma, retrieves all the attributes by default (default: *) --resolve-sd if set, permissions linked to a security descriptor will be resolved (see bloodyAD github wiki/Access-Control for more information) (default: False) --raw if set, will return attributes as sent by the server without any formatting, binary data will be outputted in base64 (default: False) --transitive if set with "--resolve-sd", will try to resolve foreign SID by reaching trusts (default: False) ``` Examples: ```ps1 # Get group members bloodyAD -u john.doe -d bloody -p Password512! --host 192.168.10.2 get object "Domain Admins" --attr member # Get UserAccountControl flags # Get User account controls (e.g. see if user is locked) bloodyAD -u Administrator -d bloody -p Password512! --host 192.168.10.2 get object john.doe --attr userAccountControl # Read GMSA account password bloodyAD -u john.doe -d bloody -p Password512 --host 192.168.10.2 get object 'gmsaAccount$' --attr msDS-ManagedPassword # Read LAPS password bloodyAD -u john.doe -d bloody -p Password512 --host 192.168.10.2 get object 'COMPUTER$' --attr ms-Mcs-AdmPwd ``` ### get search ```ps1 $ bloodyAD -H 10.10.10.10 -d bloody -u admin -p pass get search -h usage: bloodyAD get search [-h] [--base BASE] [--filter FILTER] [--attr ATTR] [--resolve-sd] [--raw] [--transitive] [-c C] options: -h, --help show this help message and exit --base BASE DN of the parent object (default: DOMAIN) --filter FILTER filter to apply to the LDAP search (see Microsoft LDAP filter syntax) (default: (objectClass=*)) --attr ATTR attributes to retrieve separated by a comma (default: *) --resolve-sd if set, permissions linked to a security descriptor will be resolved (see bloodyAD github wiki/Access-Control for more information) (default: False) --raw if set, will return attributes as sent by the server without any formatting, binary data will be outputed in base64 (default: False) --transitive if set with "--resolve-sd", will try to resolve foreign SID by reaching trusts (default: False) -c C if set, will use the controls for extended search operations, e.g. "-c 1.2.840.113556.1.4.2064 -c 1.2.840.113556.1.4.2065" to display tombstoned, deleted and recycled objects and their linked attributes (default: []) ``` > [!NOTE] > You can filter by binary attributes by giving escaped bytes of data, e.g.: > `get search --filter '(attributeSecurityGuid=b\BC\05X\C9\BD\28D\A5\E2\85j\0FL\18\5E)' --attr=ldapDisplayName --base CN=Schema,CN=Configuration,DC=BLOODY,DC=LAB` ### get trusts ```ps1 $ bloodyAD -H 10.10.10.10 -d bloody -u admin -p pass get trusts -h usage: bloodyAD get trusts [-h] [--transitive] options: -h, --help show this help message and exit --transitive Try to fetch transitive trusts (you should start from a dc of your user domain to have more complete results) (default: False) ``` ### get writable ```ps1 $ bloodyAD -H 10.10.10.10 -d bloody -u admin -p pass get writable -h usage: bloodyAD get writable [-h] [--otype {ALL,OU,USER,COMPUTER,GROUP,DOMAIN,GPO}] [--right {ALL,WRITE,CHILD}] [--detail] [--exclude-del] [--bh] options: -h, --help show this help message and exit --otype {ALL,OU,USER,COMPUTER,GROUP,DOMAIN,GPO} type of writable object to retrieve (default: ALL) --right {ALL,WRITE,CHILD} type of right to search (default: ALL) --detail if set, displays attributes/object types you can write/create for the object (default: False) --exclude-del if set, exclude deleted objects (default: False) --bh if set, creates a BloodHound-compatible Zip file with the writable objects found (default: False) ``` ## msldap Commands > [!WARNING] > Commands below are experimental ```ps1 $ bloodyAD -H 10.10.10.10 -d bloody -u admin -p pass msldap -h usage: bloodyAD msldap [-h] {add_genericwrite,addallowedtoactonbehalfofotheridentity,addcerttemplatenameflagaltname,addcomputer,addenrollmentright,addhostname,addprivaddmember,addprivdcsync,addspn,adduser,addusertogroup,adinfo,aiacas,allschemaentry,asrep,badsuccessor_check,certify,certify2,certtemplates,changeowner,changesamaccountname,changeuserpw,computeraddr,constrained,create_broken_dmsa_user,dadms,delete,delspn,deluser,deluserfromgroup,disableuser,dmsaaddmanagedaccountprecededbylink,dmsas,dmsasetdelegatedmsastate,dn2sam,dn2sid,dnsadd,dnsdelete,dnsdump,dnsgetserial,dnsmodify,dnsquery,dnsqueryall,dnsremove,dnsrestore,dnssoa,dnszones,dump,enableuser,enrollmentservices,genschema,getsd,gmsa,gpos,groupmembers,groupmembership,laps,lapstarget,ldapinfo,machine,modify,ntcas,pre2000,query,rootcas,s4u2proxy,sam2dn,schemaentry,setsd,shadowcred,sid2dn,sidresolv,spns,tree,trusts,unconstrained,unlockuser,user,whoami,whoamiraw} ... options: -h, --help show this help message and exit msldap commands: {add_genericwrite,addallowedtoactonbehalfofotheridentity,addcerttemplatenameflagaltname,addcomputer,addenrollmentright,addhostname,addprivaddmember,addprivdcsync,addspn,adduser,addusertogroup,adinfo,aiacas,allschemaentry,asrep,badsuccessor_check,certify,certify2,certtemplates,changeowner,changesamaccountname,changeuserpw,computeraddr,constrained,create_broken_dmsa_user,dadms,delete,delspn,deluser,deluserfromgroup,disableuser,dmsaaddmanagedaccountprecededbylink,dmsas,dmsasetdelegatedmsastate,dn2sam,dn2sid,dnsadd,dnsdelete,dnsdump,dnsgetserial,dnsmodify,dnsquery,dnsqueryall,dnsremove,dnsrestore,dnssoa,dnszones,dump,enableuser,enrollmentservices,genschema,getsd,gmsa,gpos,groupmembers,groupmembership,laps,lapstarget,ldapinfo,machine,modify,ntcas,pre2000,query,rootcas,s4u2proxy,sam2dn,schemaentry,setsd,shadowcred,sid2dn,sidresolv,spns,tree,trusts,unconstrained,unlockuser,user,whoami,whoamiraw} add_genericwrite Adds a generic write ACE to a target object addallowedtoactonbehalfofotheridentity Adds a SID to the msDS- AllowedToActOnBehalfOfOtherIdentity protperty of target_dn addcerttemplatenameflagaltname Modifyies the msPKI-Certificate-Name-Flag value of the specified certificate template and enables ENROLLEE_SUPPLIES_SUBJECT_ALT_NAME bit. If 'flags' is present then it will assign that value. addcomputer Adds a new computer account addenrollmentright Grants enrollment rights to a user (by DN) for the specified certificate template. addhostname Adds additional hostname to computer account addprivaddmember Adds AddMember rights to the user on the group specified by group_dn addprivdcsync Adds DCSync rights to the given user by modifying the forest's Security Descriptor to add GetChanges and GetChangesAll ACE addspn Adds an SPN entry to the users account adduser Creates a new domain user with password addusertogroup Adds user to specified group. Both user and group must be in DN format! adinfo Prints detailed Active Driectory info aiacas Lists AIA CA certificates allschemaentry Feteches all schema object entry objects asrep Fetches ASREP-roastable user accounts badsuccessor_check Checks if Badsuccessor vulnerability is present on the domain certify ADCA security test certify2 ADCA security test - new version certtemplates Lists certificate templates changeowner Changes the owner in a Security Descriptor to the new_owner_sid on an LDAP object or on an LDAP object's attribute identified by target_dn and target_attribute. target_attribute can be omitted to change the target_dn's SD's owner changesamaccountname Changes the sAMAccountName of a given DN changeuserpw Changes user password, if you are admin then old pw doesnt need to be supplied computeraddr Fetches all computer accounts constrained Lists all constrained delegation objects create_broken_dmsa_user This will create a dmsa service user that can be used for neferious reasons, but DO NOT USE THIS FOR ANYTHING ELSE! dadms Lists all members of the domain administrators group delete Remove an object identified by its DN delspn Removes an SPN entry to the users account deluser Deletes the user! This action is irrecoverable (actually domain admins can do that but probably will shout with you) deluserfromgroup Removes user from specified group. Both user and group must be in DN format! disableuser Unlock user by flipping useraccountcontrol bits dmsaaddmanagedaccountprecededbylink Adds a managed account preceded by link to a DMSA dmsas Lists all delegated managed service accounts (DMSA) dmsasetdelegatedmsastate Sets the delegated MSA state of a DMSA dn2sam Fetches the sAMAccountName of an object based on the DN dn2sid Fetches the objectSid of an object based on the DN dnsadd Adds a DNS record for a given target dnsdelete Deletes a DNS record for a given target (completely removes the record from the AD) dnsdump Execute dnsdump from MSLDAPClientConsole dnsgetserial Gets the serial number of a DNS record for a given zone dnsmodify Modifies a DNS record for a given target dnsquery Queries a DNS record for a given target dnsqueryall Queries all DNS records for a given zone dnsremove Removes a DNS record for a given target (tombstones the record) dnsrestore Restores a DNS record for a given target dnssoa Prints the SOA record of a given zone dnszones Lists all DNS zones dump Fetches ALL user and machine accounts from the domain with a LOT of attributes enableuser Unlock user by flipping useraccountcontrol bits enrollmentservices Lists AIA CA certificates genschema Generates schema data. This will take a long time. getsd Feteches security info for a given DN gmsa Lists all managed service accounts (MSA). If user has permissions it retrieves the password as well gpos Feteches security info for a given DN groupmembers Returns all member users in a group specified by DN groupmembership Feteches names all groupnames the user is a member of for a given DN laps Feteches all laps passwords lapstarget Feteches all laps password for a given machine ldapinfo Prints detailed LDAP connection info (DSA) machine Feteches a machine object based on the sAMAccountName of the machine modify Modify an attribute of object. Only works with string data types! ntcas Lists NT CA certificates pre2000 Lists potentially abusable machine accounts created with pre windows-2000 flag query Performs a raw LDAP query against the server. Secondary parameter is the requested attributes SEPARATED WITH COMMA (,) rootcas Lists Root CA certificates s4u2proxy Lists all S4U2Proxy objects sam2dn Fetches the DN of an object based on the sAMAccountName schemaentry Feteches a schema object entry object based on the DN of the object (must start with CN=) setsd Updates the security descriptor of an object shadowcred Execute shadowcred from MSLDAPClientConsole sid2dn Fetches the DN of an object based on the objectSid sidresolv Returns the domain and username for SID spns Fetches kerberoastable user accounts tree Prints a tree from the given DN (if not set, the top) and with a given depth (default: 1) trusts Feteches gives back domain trusts unconstrained Lists all unconstrained delegation objects unlockuser Unlock user by setting lockoutTime to 0 user Feteches a user object based on the sAMAccountName of the user whoami Full whoami whoamiraw Simple whoami ``` ### msldap add_genericwrite ```ps1 $ bloodyAD -H 10.10.10.10 -d bloody -u admin -p pass msldap add_genericwrite -h usage: bloodyAD msldap add_genericwrite [-h] targetdn userdn positional arguments: targetdn targetdn userdn userdn options: -h, --help show this help message and exit ``` ### msldap addallowedtoactonbehalfofotheridentity ```ps1 $ bloodyAD -H 10.10.10.10 -d bloody -u admin -p pass msldap addallowedtoactonbehalfofotheridentity -h usage: bloodyAD msldap addallowedtoactonbehalfofotheridentity [-h] target_dn other_identity_sid positional arguments: target_dn target_dn other_identity_sid other_identity_sid options: -h, --help show this help message and exit ``` ### msldap addcerttemplatenameflagaltname ```ps1 $ bloodyAD -H 10.10.10.10 -d bloody -u admin -p pass msldap addcerttemplatenameflagaltname -h usage: bloodyAD msldap addcerttemplatenameflagaltname [-h] [--flags FLAGS] certtemplatename positional arguments: certtemplatename certtemplatename options: -h, --help show this help message and exit --flags FLAGS flags (default: None) ``` ### msldap addcomputer ```ps1 $ bloodyAD -H 10.10.10.10 -d bloody -u admin -p pass msldap addcomputer -h usage: bloodyAD msldap addcomputer [-h] [--computername COMPUTERNAME] [--password PASSWORD] options: -h, --help show this help message and exit --computername COMPUTERNAME computername (default: None) --password PASSWORD password (default: None) ``` ### msldap addenrollmentright ```ps1 $ bloodyAD -H 10.10.10.10 -d bloody -u admin -p pass msldap addenrollmentright -h usage: bloodyAD msldap addenrollmentright [-h] certtemplatename user_dn positional arguments: certtemplatename certtemplatename user_dn user_dn options: -h, --help show this help message and exit ``` ### msldap addhostname ```ps1 $ bloodyAD -H 10.10.10.10 -d bloody -u admin -p pass msldap addhostname -h usage: bloodyAD msldap addhostname [-h] user_dn hostname positional arguments: user_dn user_dn hostname hostname options: -h, --help show this help message and exit ``` ### msldap addprivaddmember ```ps1 $ bloodyAD -H 10.10.10.10 -d bloody -u admin -p pass msldap addprivaddmember -h usage: bloodyAD msldap addprivaddmember [-h] user_dn group_dn positional arguments: user_dn user_dn group_dn group_dn options: -h, --help show this help message and exit ``` ### msldap addprivdcsync ```ps1 $ bloodyAD -H 10.10.10.10 -d bloody -u admin -p pass msldap addprivdcsync -h usage: bloodyAD msldap addprivdcsync [-h] [--forest FOREST] user_dn positional arguments: user_dn user_dn options: -h, --help show this help message and exit --forest FOREST forest (default: None) ``` ### msldap addspn ```ps1 $ bloodyAD -H 10.10.10.10 -d bloody -u admin -p pass msldap addspn -h usage: bloodyAD msldap addspn [-h] user_dn spn positional arguments: user_dn user_dn spn spn options: -h, --help show this help message and exit ``` ### msldap adduser ```ps1 $ bloodyAD -H 10.10.10.10 -d bloody -u admin -p pass msldap adduser -h usage: bloodyAD msldap adduser [-h] user_dn password positional arguments: user_dn user_dn password password options: -h, --help show this help message and exit ``` ### msldap addusertogroup ```ps1 $ bloodyAD -H 10.10.10.10 -d bloody -u admin -p pass msldap addusertogroup -h usage: bloodyAD msldap addusertogroup [-h] user_dn group_dn positional arguments: user_dn user_dn group_dn group_dn options: -h, --help show this help message and exit ``` ### msldap adinfo ```ps1 $ bloodyAD -H 10.10.10.10 -d bloody -u admin -p pass msldap adinfo -h usage: bloodyAD msldap adinfo [-h] options: -h, --help show this help message and exit ``` ### msldap aiacas ```ps1 $ bloodyAD -H 10.10.10.10 -d bloody -u admin -p pass msldap aiacas -h usage: bloodyAD msldap aiacas [-h] options: -h, --help show this help message and exit ``` ### msldap allschemaentry ```ps1 $ bloodyAD -H 10.10.10.10 -d bloody -u admin -p pass msldap allschemaentry -h usage: bloodyAD msldap allschemaentry [-h] options: -h, --help show this help message and exit ``` ### msldap asrep ```ps1 $ bloodyAD -H 10.10.10.10 -d bloody -u admin -p pass msldap asrep -h usage: bloodyAD msldap asrep [-h] options: -h, --help show this help message and exit ``` ### msldap badsuccessor_check ```ps1 $ bloodyAD -H 10.10.10.10 -d bloody -u admin -p pass msldap badsuccessor_check -h usage: bloodyAD msldap badsuccessor_check [-h] options: -h, --help show this help message and exit ``` ### msldap certify ```ps1 $ bloodyAD -H 10.10.10.10 -d bloody -u admin -p pass msldap certify -h usage: bloodyAD msldap certify [-h] [--cmd CMD] [--username USERNAME] options: -h, --help show this help message and exit --cmd CMD cmd (default: None) --username USERNAME username (default: None) ``` ### msldap certify2 ```ps1 $ bloodyAD -H 10.10.10.10 -d bloody -u admin -p pass msldap certify2 -h usage: bloodyAD msldap certify2 [-h] [--username USERNAME] options: -h, --help show this help message and exit --username USERNAME username (default: None) ``` ### msldap certtemplates ```ps1 $ bloodyAD -H 10.10.10.10 -d bloody -u admin -p pass msldap certtemplates -h usage: bloodyAD msldap certtemplates [-h] [--name NAME] options: -h, --help show this help message and exit --name NAME name (default: None) ``` ### msldap changeowner ```ps1 $ bloodyAD -H 10.10.10.10 -d bloody -u admin -p pass msldap changeowner -h usage: bloodyAD msldap changeowner [-h] [--target-attribute TARGET_ATTRIBUTE] new_owner_sid target_dn positional arguments: new_owner_sid new_owner_sid target_dn target_dn options: -h, --help show this help message and exit --target-attribute TARGET_ATTRIBUTE target_attribute (default: None) ``` ### msldap changesamaccountname ```ps1 $ bloodyAD -H 10.10.10.10 -d bloody -u admin -p pass msldap changesamaccountname -h usage: bloodyAD msldap changesamaccountname [-h] dn newname positional arguments: dn dn newname newname options: -h, --help show this help message and exit ``` ### msldap changeuserpw ```ps1 $ bloodyAD -H 10.10.10.10 -d bloody -u admin -p pass msldap changeuserpw -h usage: bloodyAD msldap changeuserpw [-h] [--oldpass OLDPASS] user_dn newpass positional arguments: user_dn user_dn newpass newpass options: -h, --help show this help message and exit --oldpass OLDPASS oldpass (default: None) ``` ### msldap computeraddr ```ps1 $ bloodyAD -H 10.10.10.10 -d bloody -u admin -p pass msldap computeraddr -h usage: bloodyAD msldap computeraddr [-h] options: -h, --help show this help message and exit ``` ### msldap constrained ```ps1 $ bloodyAD -H 10.10.10.10 -d bloody -u admin -p pass msldap constrained -h usage: bloodyAD msldap constrained [-h] options: -h, --help show this help message and exit ``` ### msldap create_broken_dmsa_user ```ps1 $ bloodyAD -H 10.10.10.10 -d bloody -u admin -p pass msldap create_broken_dmsa_user -h usage: bloodyAD msldap create_broken_dmsa_user [-h] user_dn computersid positional arguments: user_dn user_dn computersid computersid options: -h, --help show this help message and exit ``` ### msldap dadms ```ps1 $ bloodyAD -H 10.10.10.10 -d bloody -u admin -p pass msldap dadms -h usage: bloodyAD msldap dadms [-h] options: -h, --help show this help message and exit ``` ### msldap delete ```ps1 $ bloodyAD -H 10.10.10.10 -d bloody -u admin -p pass msldap delete -h usage: bloodyAD msldap delete [-h] [--confirm CONFIRM] dn positional arguments: dn dn options: -h, --help show this help message and exit --confirm CONFIRM confirm (default: NO) ``` ### msldap delspn ```ps1 $ bloodyAD -H 10.10.10.10 -d bloody -u admin -p pass msldap delspn -h usage: bloodyAD msldap delspn [-h] user_dn spn positional arguments: user_dn user_dn spn spn options: -h, --help show this help message and exit ``` ### msldap deluser ```ps1 $ bloodyAD -H 10.10.10.10 -d bloody -u admin -p pass msldap deluser -h usage: bloodyAD msldap deluser [-h] user_dn positional arguments: user_dn user_dn options: -h, --help show this help message and exit ``` ### msldap deluserfromgroup ```ps1 $ bloodyAD -H 10.10.10.10 -d bloody -u admin -p pass msldap deluserfromgroup -h usage: bloodyAD msldap deluserfromgroup [-h] user_dn group_dn positional arguments: user_dn user_dn group_dn group_dn options: -h, --help show this help message and exit ``` ### msldap disableuser ```ps1 $ bloodyAD -H 10.10.10.10 -d bloody -u admin -p pass msldap disableuser -h usage: bloodyAD msldap disableuser [-h] user_dn positional arguments: user_dn user_dn options: -h, --help show this help message and exit ``` ### msldap dmsaaddmanagedaccountprecededbylink ```ps1 $ bloodyAD -H 10.10.10.10 -d bloody -u admin -p pass msldap dmsaaddmanagedaccountprecededbylink -h usage: bloodyAD msldap dmsaaddmanagedaccountprecededbylink [-h] dn managedaccountprecededbylink positional arguments: dn dn managedaccountprecededbylink managedaccountprecededbylink options: -h, --help show this help message and exit ``` ### msldap dmsas ```ps1 $ bloodyAD -H 10.10.10.10 -d bloody -u admin -p pass msldap dmsas -h usage: bloodyAD msldap dmsas [-h] options: -h, --help show this help message and exit ``` ### msldap dmsasetdelegatedmsastate ```ps1 $ bloodyAD -H 10.10.10.10 -d bloody -u admin -p pass msldap dmsasetdelegatedmsastate -h usage: bloodyAD msldap dmsasetdelegatedmsastate [-h] dn delegatedmsastate positional arguments: dn dn delegatedmsastate delegatedmsastate options: -h, --help show this help message and exit ``` ### msldap dn2sam ```ps1 $ bloodyAD -H 10.10.10.10 -d bloody -u admin -p pass msldap dn2sam -h usage: bloodyAD msldap dn2sam [-h] dn positional arguments: dn dn options: -h, --help show this help message and exit ``` ### msldap dn2sid ```ps1 $ bloodyAD -H 10.10.10.10 -d bloody -u admin -p pass msldap dn2sid -h usage: bloodyAD msldap dn2sid [-h] dn positional arguments: dn dn options: -h, --help show this help message and exit ``` ### msldap dnsadd ```ps1 $ bloodyAD -H 10.10.10.10 -d bloody -u admin -p pass msldap dnsadd -h usage: bloodyAD msldap dnsadd [-h] [--zone ZONE] [--forest] [--legacy] target ip positional arguments: target target ip ip options: -h, --help show this help message and exit --zone ZONE zone (default: None) --forest forest (default: False) --legacy legacy (default: False) ``` ### msldap dnsdelete ```ps1 $ bloodyAD -H 10.10.10.10 -d bloody -u admin -p pass msldap dnsdelete -h usage: bloodyAD msldap dnsdelete [-h] [--zone ZONE] [--forest] [--legacy] target positional arguments: target target options: -h, --help show this help message and exit --zone ZONE zone (default: None) --forest forest (default: False) --legacy legacy (default: False) ``` ### msldap dnsdump ```ps1 $ bloodyAD -H 10.10.10.10 -d bloody -u admin -p pass msldap dnsdump -h usage: bloodyAD msldap dnsdump [-h] [--zone ZONE] options: -h, --help show this help message and exit --zone ZONE zone (default: None) ``` ### msldap dnsgetserial ```ps1 $ bloodyAD -H 10.10.10.10 -d bloody -u admin -p pass msldap dnsgetserial -h usage: bloodyAD msldap dnsgetserial [-h] [--zone ZONE] [--forest] [--legacy] options: -h, --help show this help message and exit --zone ZONE zone (default: None) --forest forest (default: False) --legacy legacy (default: False) ``` ### msldap dnsmodify ```ps1 $ bloodyAD -H 10.10.10.10 -d bloody -u admin -p pass msldap dnsmodify -h usage: bloodyAD msldap dnsmodify [-h] [--zone ZONE] [--forest] [--legacy] target ip positional arguments: target target ip ip options: -h, --help show this help message and exit --zone ZONE zone (default: None) --forest forest (default: False) --legacy legacy (default: False) ``` ### msldap dnsquery ```ps1 $ bloodyAD -H 10.10.10.10 -d bloody -u admin -p pass msldap dnsquery -h usage: bloodyAD msldap dnsquery [-h] [--zone ZONE] [--forest] [--legacy] target positional arguments: target target options: -h, --help show this help message and exit --zone ZONE zone (default: None) --forest forest (default: False) --legacy legacy (default: False) ``` ### msldap dnsqueryall ```ps1 $ bloodyAD -H 10.10.10.10 -d bloody -u admin -p pass msldap dnsqueryall -h usage: bloodyAD msldap dnsqueryall [-h] [--zone ZONE] [--forest] [--legacy] options: -h, --help show this help message and exit --zone ZONE zone (default: None) --forest forest (default: False) --legacy legacy (default: False) ``` ### msldap dnsremove ```ps1 $ bloodyAD -H 10.10.10.10 -d bloody -u admin -p pass msldap dnsremove -h usage: bloodyAD msldap dnsremove [-h] [--zone ZONE] [--forest] [--legacy] target ip positional arguments: target target ip ip options: -h, --help show this help message and exit --zone ZONE zone (default: None) --forest forest (default: False) --legacy legacy (default: False) ``` ### msldap dnsrestore ```ps1 $ bloodyAD -H 10.10.10.10 -d bloody -u admin -p pass msldap dnsrestore -h usage: bloodyAD msldap dnsrestore [-h] [--zone ZONE] [--forest] [--legacy] target positional arguments: target target options: -h, --help show this help message and exit --zone ZONE zone (default: None) --forest forest (default: False) --legacy legacy (default: False) ``` ### msldap dnssoa ```ps1 $ bloodyAD -H 10.10.10.10 -d bloody -u admin -p pass msldap dnssoa -h usage: bloodyAD msldap dnssoa [-h] [--zone ZONE] [--forest] [--legacy] options: -h, --help show this help message and exit --zone ZONE zone (default: None) --forest forest (default: False) --legacy legacy (default: False) ``` ### msldap dnszones ```ps1 $ bloodyAD -H 10.10.10.10 -d bloody -u admin -p pass msldap dnszones -h usage: bloodyAD msldap dnszones [-h] [--to-print-props] options: -h, --help show this help message and exit --to-print-props to_print_props (default: False) ``` ### msldap dump ```ps1 $ bloodyAD -H 10.10.10.10 -d bloody -u admin -p pass msldap dump -h usage: bloodyAD msldap dump [-h] options: -h, --help show this help message and exit ``` ### msldap enableuser ```ps1 $ bloodyAD -H 10.10.10.10 -d bloody -u admin -p pass msldap enableuser -h usage: bloodyAD msldap enableuser [-h] user_dn positional arguments: user_dn user_dn options: -h, --help show this help message and exit ``` ### msldap enrollmentservices ```ps1 $ bloodyAD -H 10.10.10.10 -d bloody -u admin -p pass msldap enrollmentservices -h usage: bloodyAD msldap enrollmentservices [-h] options: -h, --help show this help message and exit ``` ### msldap genschema ```ps1 $ bloodyAD -H 10.10.10.10 -d bloody -u admin -p pass msldap genschema -h usage: bloodyAD msldap genschema [-h] options: -h, --help show this help message and exit ``` ### msldap getsd ```ps1 $ bloodyAD -H 10.10.10.10 -d bloody -u admin -p pass msldap getsd -h usage: bloodyAD msldap getsd [-h] [--opts OPTS] dn positional arguments: dn dn options: -h, --help show this help message and exit --opts OPTS opts (default: ) ``` ### msldap gmsa ```ps1 $ bloodyAD -H 10.10.10.10 -d bloody -u admin -p pass msldap gmsa -h usage: bloodyAD msldap gmsa [-h] options: -h, --help show this help message and exit ``` ### msldap gpos ```ps1 $ bloodyAD -H 10.10.10.10 -d bloody -u admin -p pass msldap gpos -h usage: bloodyAD msldap gpos [-h] options: -h, --help show this help message and exit ``` ### msldap groupmembers ```ps1 $ bloodyAD -H 10.10.10.10 -d bloody -u admin -p pass msldap groupmembers -h usage: bloodyAD msldap groupmembers [-h] [--recursive] dn positional arguments: dn dn options: -h, --help show this help message and exit --recursive recursive (default: True) ``` ### msldap groupmembership ```ps1 $ bloodyAD -H 10.10.10.10 -d bloody -u admin -p pass msldap groupmembership -h usage: bloodyAD msldap groupmembership [-h] dn positional arguments: dn dn options: -h, --help show this help message and exit ``` ### msldap laps ```ps1 $ bloodyAD -H 10.10.10.10 -d bloody -u admin -p pass msldap laps -h usage: bloodyAD msldap laps [-h] options: -h, --help show this help message and exit ``` ### msldap lapstarget ```ps1 $ bloodyAD -H 10.10.10.10 -d bloody -u admin -p pass msldap lapstarget -h usage: bloodyAD msldap lapstarget [-h] machinesid positional arguments: machinesid machinesid options: -h, --help show this help message and exit ``` ### msldap ldapinfo ```ps1 $ bloodyAD -H 10.10.10.10 -d bloody -u admin -p pass msldap ldapinfo -h usage: bloodyAD msldap ldapinfo [-h] options: -h, --help show this help message and exit ``` ### msldap machine ```ps1 $ bloodyAD -H 10.10.10.10 -d bloody -u admin -p pass msldap machine -h usage: bloodyAD msldap machine [-h] samaccountname positional arguments: samaccountname samaccountname options: -h, --help show this help message and exit ``` ### msldap modify ```ps1 $ bloodyAD -H 10.10.10.10 -d bloody -u admin -p pass msldap modify -h usage: bloodyAD msldap modify [-h] dn attribute value positional arguments: dn dn attribute attribute value value options: -h, --help show this help message and exit ``` ### msldap ntcas ```ps1 $ bloodyAD -H 10.10.10.10 -d bloody -u admin -p pass msldap ntcas -h usage: bloodyAD msldap ntcas [-h] options: -h, --help show this help message and exit ``` ### msldap pre2000 ```ps1 $ bloodyAD -H 10.10.10.10 -d bloody -u admin -p pass msldap pre2000 -h usage: bloodyAD msldap pre2000 [-h] options: -h, --help show this help message and exit ``` ### msldap query ```ps1 $ bloodyAD -H 10.10.10.10 -d bloody -u admin -p pass msldap query -h usage: bloodyAD msldap query [-h] [--attributes ATTRIBUTES] query positional arguments: query query options: -h, --help show this help message and exit --attributes ATTRIBUTES attributes (default: -) ``` ### msldap rootcas ```ps1 $ bloodyAD -H 10.10.10.10 -d bloody -u admin -p pass msldap rootcas -h usage: bloodyAD msldap rootcas [-h] options: -h, --help show this help message and exit ``` ### msldap s4u2proxy ```ps1 $ bloodyAD -H 10.10.10.10 -d bloody -u admin -p pass msldap s4u2proxy -h usage: bloodyAD msldap s4u2proxy [-h] options: -h, --help show this help message and exit ``` ### msldap sam2dn ```ps1 $ bloodyAD -H 10.10.10.10 -d bloody -u admin -p pass msldap sam2dn -h usage: bloodyAD msldap sam2dn [-h] sAMAccountName positional arguments: sAMAccountName sAMAccountName options: -h, --help show this help message and exit ``` ### msldap schemaentry ```ps1 $ bloodyAD -H 10.10.10.10 -d bloody -u admin -p pass msldap schemaentry -h usage: bloodyAD msldap schemaentry [-h] cn positional arguments: cn cn options: -h, --help show this help message and exit ``` ### msldap setsd ```ps1 $ bloodyAD -H 10.10.10.10 -d bloody -u admin -p pass msldap setsd -h usage: bloodyAD msldap setsd [-h] target_dn sddl positional arguments: target_dn target_dn sddl sddl options: -h, --help show this help message and exit ``` ### msldap shadowcred ```ps1 $ bloodyAD -H 10.10.10.10 -d bloody -u admin -p pass msldap shadowcred -h usage: bloodyAD msldap shadowcred [-h] targetuser positional arguments: targetuser targetuser options: -h, --help show this help message and exit ``` ### msldap sid2dn ```ps1 $ bloodyAD -H 10.10.10.10 -d bloody -u admin -p pass msldap sid2dn -h usage: bloodyAD msldap sid2dn [-h] sid positional arguments: sid sid options: -h, --help show this help message and exit ``` ### msldap sidresolv ```ps1 $ bloodyAD -H 10.10.10.10 -d bloody -u admin -p pass msldap sidresolv -h usage: bloodyAD msldap sidresolv [-h] sid positional arguments: sid sid options: -h, --help show this help message and exit ``` ### msldap spns ```ps1 $ bloodyAD -H 10.10.10.10 -d bloody -u admin -p pass msldap spns -h usage: bloodyAD msldap spns [-h] options: -h, --help show this help message and exit ``` ### msldap tree ```ps1 $ bloodyAD -H 10.10.10.10 -d bloody -u admin -p pass msldap tree -h usage: bloodyAD msldap tree [-h] [--dn DN] [--level LEVEL] options: -h, --help show this help message and exit --dn DN dn (default: None) --level LEVEL level (default: 1) ``` ### msldap trusts ```ps1 $ bloodyAD -H 10.10.10.10 -d bloody -u admin -p pass msldap trusts -h usage: bloodyAD msldap trusts [-h] options: -h, --help show this help message and exit ``` ### msldap unconstrained ```ps1 $ bloodyAD -H 10.10.10.10 -d bloody -u admin -p pass msldap unconstrained -h usage: bloodyAD msldap unconstrained [-h] options: -h, --help show this help message and exit ``` ### msldap unlockuser ```ps1 $ bloodyAD -H 10.10.10.10 -d bloody -u admin -p pass msldap unlockuser -h usage: bloodyAD msldap unlockuser [-h] user_dn positional arguments: user_dn user_dn options: -h, --help show this help message and exit ``` ### msldap user ```ps1 $ bloodyAD -H 10.10.10.10 -d bloody -u admin -p pass msldap user -h usage: bloodyAD msldap user [-h] samaccountname positional arguments: samaccountname samaccountname options: -h, --help show this help message and exit ``` ### msldap whoami ```ps1 $ bloodyAD -H 10.10.10.10 -d bloody -u admin -p pass msldap whoami -h usage: bloodyAD msldap whoami [-h] options: -h, --help show this help message and exit ``` ### msldap whoamiraw ```ps1 $ bloodyAD -H 10.10.10.10 -d bloody -u admin -p pass msldap whoamiraw -h usage: bloodyAD msldap whoamiraw [-h] options: -h, --help show this help message and exit ``` ## remove Commands ```ps1 $ bloodyAD -H 10.10.10.10 -d bloody -u admin -p pass remove -h usage: bloodyAD remove [-h] {dcsync,dnsRecord,genericAll,groupMember,object,rbcd,shadowCredentials,uac} ... options: -h, --help show this help message and exit remove commands: {dcsync,dnsRecord,genericAll,groupMember,object,rbcd,shadowCredentials,uac} dcsync Remove DCSync right for provided trustee dnsRecord Remove a DNS record of an AD environment. genericAll Remove full control of trustee on target groupMember Remove member (user, group, computer) from group object Remove object (user, group, computer, organizational unit, etc) rbcd Remove Resource Based Constraint Delegation for service on target shadowCredentials Remove Key Credentials from target uac Remove property flags altering user/computer object behavior ``` ### remove dcsync ```ps1 $ bloodyAD -H 10.10.10.10 -d bloody -u admin -p pass remove dcsync -h usage: bloodyAD remove dcsync [-h] trustee positional arguments: trustee sAMAccountName, DN or SID of the trustee options: -h, --help show this help message and exit ``` ### remove dnsRecord ```ps1 $ bloodyAD -H 10.10.10.10 -d bloody -u admin -p pass remove dnsRecord -h usage: bloodyAD remove dnsRecord [-h] [--dnstype {A,AAAA,CNAME,MX,PTR,SRV,TXT}] [--zone ZONE] [--ttl TTL] [--preference PREFERENCE] [--port PORT] [--priority PRIORITY] [--weight WEIGHT] [--forest] name data positional arguments: name name of the dnsNode object (hostname) which contains the record data DNS record data options: -h, --help show this help message and exit --dnstype {A,AAAA,CNAME,MX,PTR,SRV,TXT} DNS record type (default: A) --zone ZONE DNS zone (default: CurrentDomain) --ttl TTL DNS record TTL (default: None) --preference PREFERENCE DNS MX record preference (default: None) --port PORT listening port of the service in a DNS SRV record (default: None) --priority PRIORITY priority of a DNS SRV record against concurrent (default: None) --weight WEIGHT weight of a DNS SRV record against concurrent (default: None) --forest if set, will fetch the dns record in forest instead of domain (default: False) ``` The options must be used if: * The record is not an A type (you must provide other options depending of the type but TTL is always optional) * The record is not in the DOMAIN zone * The record is in the Forest DNS Partition and Not the Domain DNS Partition Simplest usage: ```ps1 $ bloodyAD --host 10.1.0.4 -u bloodyAdmin -p 'Password123!' -d bloody remove dnsRecord test.bloody.local 8.8.8.8 ``` ### remove genericAll ```ps1 $ bloodyAD -H 10.10.10.10 -d bloody -u admin -p pass remove genericAll -h usage: bloodyAD remove genericAll [-h] target trustee positional arguments: target sAMAccountName, DN or SID of the target trustee sAMAccountName, DN or SID of the trustee options: -h, --help show this help message and exit ``` ### remove groupMember ```ps1 $ bloodyAD -H 10.10.10.10 -d bloody -u admin -p pass remove groupMember -h usage: bloodyAD remove groupMember [-h] group member positional arguments: group sAMAccountName, DN or SID of the group member sAMAccountName, DN or SID of the member options: -h, --help show this help message and exit ``` ### remove object ```ps1 $ bloodyAD -H 10.10.10.10 -d bloody -u admin -p pass remove object -h usage: bloodyAD remove object [-h] target positional arguments: target sAMAccountName, DN or SID of the target options: -h, --help show this help message and exit ``` ### remove rbcd ```ps1 $ bloodyAD -H 10.10.10.10 -d bloody -u admin -p pass remove rbcd -h usage: bloodyAD remove rbcd [-h] target service positional arguments: target sAMAccountName, DN or SID of the target service sAMAccountName, DN or SID of the service account options: -h, --help show this help message and exit ``` ### remove shadowCredentials ```ps1 $ bloodyAD -H 10.10.10.10 -d bloody -u admin -p pass remove shadowCredentials -h usage: bloodyAD remove shadowCredentials [-h] [--key KEY] target positional arguments: target sAMAccountName, DN or SID of the target options: -h, --help show this help message and exit --key KEY RSA key of Key Credentials to remove from the target, removes all if key not specified (default: None) ``` ### remove uac ```ps1 $ bloodyAD -H 10.10.10.10 -d bloody -u admin -p pass remove uac -h usage: bloodyAD remove uac [-h] [-f F] target positional arguments: target sAMAccountName, DN or SID of the target options: -h, --help show this help message and exit -f F name of property flag to remove, can be called multiple times if multiple flags to remove (e.g -f LOCKOUT -f ACCOUNTDISABLE) (default: None) ``` ## set Commands ```ps1 $ bloodyAD -H 10.10.10.10 -d bloody -u admin -p pass set -h usage: bloodyAD set [-h] {object,owner,password,restore} ... options: -h, --help show this help message and exit set commands: {object,owner,password,restore} object Add/Replace/Delete target's attribute owner Changes target ownership with provided owner (WriteOwner permission required) password Change password of a user/computer restore Restore a deleted object ``` ### set object ```ps1 $ bloodyAD -H 10.10.10.10 -d bloody -u admin -p pass set object -h usage: bloodyAD set object [-h] [-v V] [--raw] [--b64] target attribute positional arguments: target sAMAccountName, DN or SID of the target attribute name of the attribute options: -h, --help show this help message and exit -v V add value if attribute doesn't exist, replace value if attribute exists, delete if no value given, can be called multiple times if multiple values to set (e.g -v HOST/janettePC -v HOST/janettePC.bloody.local) (default: []) --raw if set, will try to send the values provided as is, without any encoding (default: False) --b64 expect base64 values in -v (available only with --raw) (default: False) ``` ### set owner ```ps1 $ bloodyAD -H 10.10.10.10 -d bloody -u admin -p pass set owner -h usage: bloodyAD set owner [-h] target owner positional arguments: target sAMAccountName, DN or SID of the target owner sAMAccountName, DN or SID of the new owner options: -h, --help show this help message and exit ``` > [!WARNING] > If you only have [WRITE_OWNER](https://github.com/CravateRouge/bloodyAD/wiki/Access-Control#rights) or SE_TAKE_OWNERSHIP_PRIVILEGE, you can only set yourself as owner. You must have DS-Set-Owner on the domain or SeRestorePrivilege to set any other users as owners (see [MS-ADTS] 6.1.3.5 and [this article](https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/take-ownership-of-files-or-other-objects#policy-management)) ### set password ```ps1 $ bloodyAD -H 10.10.10.10 -d bloody -u admin -p pass set password -h usage: bloodyAD set password [-h] [--oldpass OLDPASS] target newpass positional arguments: target sAMAccountName, DN or SID of the target newpass new password for the target options: -h, --help show this help message and exit --oldpass OLDPASS old password of the target, mandatory if you don't have "change password" permission on the target (default: None) ``` > [!NOTE] > You can use `oldpass` to change the password of another user without having any special right on it. > (Useful when the target is locked because the password is expired) ### set restore ```ps1 $ bloodyAD -H 10.10.10.10 -d bloody -u admin -p pass set restore -h usage: bloodyAD set restore [-h] [--newName NEWNAME] [--newParent NEWPARENT] target positional arguments: target DN, sAMAccountName (or name for GPO) or SID of the target (avoid sAMAccountName if there is a duplicate) options: -h, --help show this help message and exit --newName NEWNAME new name for the restored object (update also sAMAccountName, UPN, SPN...), if not provided will use the last known RDN (default: None) --newParent NEWPARENT new parent for the restored object, if not provided will use the last known parent (default: None) ```