Remove Examples

Remove DCSync

Removes DCSync right for provided trustee.

#sAMAccountName
bloodyAD --dc-ip 10.129.222.191 --host dc01.sequel.htb -d sequel.htb -u ryan -p 'WqSZAF6CysDQbGb3' remove dcsync "rose"

#SID (objectSid)
bloodyAD --dc-ip 10.129.222.191 --host dc01.sequel.htb -d sequel.htb -u administrator -c ":administrator.pem" remove dcsync "S-1-5-21-548670397-972687484-3496335370-1601"

#Distinguished Name (DN)
bloodyAD --dc-ip 10.129.222.191 --host dc01.sequel.htb -d sequel.htb -u administrator -c ":administrator.pem" remove dcsync "CN=Rose Fox,CN=Users,DC=sequel,DC=htb"

Remove genericAll

Removes full control of trustee on target.

#sAMAccountName
bloodyAD --dc-ip 10.129.222.191 --host dc01.sequel.htb -d sequel.htb -u ryan -p 'WqSZAF6CysDQbGb3' remove genericAll "CA_SVC" "ryan"

#SID (objectSid)
bloodyAD --dc-ip 10.129.222.191 --host dc01.sequel.htb -d sequel.htb -u ryan -p 'WqSZAF6CysDQbGb3' remove genericAll "S-1-5-21-548670397-972687484-3496335370-1607" "S-1-5-21-548670397-972687484-3496335370-1114"

#Distinguished Name (DN)
bloodyAD --dc-ip 10.129.222.191 --host dc01.sequel.htb -d sequel.htb -u ryan -p 'WqSZAF6CysDQbGb3' remove genericAll "CN=Certification Authority,CN=Users,DC=sequel,DC=htb" "CN=Ryan Howard,CN=Users,DC=sequel,DC=htb"

Remove groupMember

Removes member (user, group, computer) from group.

#sAMAccountName
bloodyAD --dc-ip 10.129.222.191 --host dc01.sequel.htb -d sequel.htb -u ryan -p 'WqSZAF6CysDQbGb3' remove groupMember "Management Department" "Rose"

#SID (objectSid)
bloodyAD --dc-ip 10.129.222.191 --host dc01.sequel.htb -d sequel.htb -u ryan -p 'WqSZAF6CysDQbGb3' remove groupMember "S-1-5-21-548670397-972687484-3496335370-1602" "S-1-5-21-548670397-972687484-3496335370-1601"

#Distinguished Name (DN)
bloodyAD --dc-ip 10.129.222.191 --host dc01.sequel.htb -d sequel.htb -u administrator -c ":administrator.pem" remove groupMember "CN=Management Department,CN=Users,DC=sequel,DC=htb" "CN=Rose Fox,CN=Users,DC=sequel,DC=htb"

Remove object

Removes object (user, group, computer, organizational unit, etc).

#User
bloodyAD --dc-ip 10.129.222.191 --host dc01.sequel.htb -d sequel.htb -u ryan -p 'WqSZAF6CysDQbGb3' remove object "Rose"

#Group
bloodyAD --dc-ip 10.129.222.191 --host dc01.sequel.htb -d sequel.htb -u administrator -c ":administrator.pem" remove object "Management Department"

Remove RBCD

Removes Resource Based Constraint Delegation for service on target.

#sAMAccountName
bloodyAD --dc-ip 10.129.222.191 --host dc01.sequel.htb -d sequel.htb -u ryan -p 'WqSZAF6CysDQbGb3' remove rbcd "Rose" "Management Department"

#SID (objectSid)
bloodyAD --dc-ip 10.129.222.191 --host dc01.sequel.htb -d sequel.htb -u ryan -p 'WqSZAF6CysDQbGb3' remove rbcd "S-1-5-21-548670397-972687484-3496335370-1601" "S-1-5-21-548670397-972687484-3496335370-1602"

#Distinguished Name (DN)
bloodyAD --dc-ip 10.129.222.191 --host dc01.sequel.htb -d sequel.htb -u administrator -c ":administrator.pem" remove rbcd "CN=Rose Fox,CN=Users,DC=sequel,DC=htb" "CN=Management Department,CN=Users,DC=sequel,DC=htb"

Remove shadowCredentials

Removes Key Credentials from target.

#sAMAccountName
bloodyAD --dc-ip 10.129.222.191 --host dc01.sequel.htb -d sequel.htb -u ryan -p 'WqSZAF6CysDQbGb3' remove shadowCredentials "Rose"

#SID (objectSid)
bloodyAD --dc-ip 10.129.222.191 --host dc01.sequel.htb -d sequel.htb -u ryan -p 'WqSZAF6CysDQbGb3' remove shadowCredentials "S-1-5-21-548670397-972687484-3496335370-1601" 

#Distinguished Name (DN)
bloodyAD --dc-ip 10.129.222.191 --host dc01.sequel.htb -d sequel.htb -u administrator -c ":administrator.pem" remove shadowCredentials "CN=Rose Fox,CN=Users,DC=sequel,DC=htb"

Remove UAC

Removes property flags altering user/computer object behavior.

#sAMAccountName
bloodyAD --dc-ip 10.129.222.191 --host dc01.sequel.htb -d sequel.htb -u ryan -p 'WqSZAF6CysDQbGb3' remove uac "Rose" -f LOCKOUT

#SID (objectSid)
bloodyAD --dc-ip 10.129.222.191 --host dc01.sequel.htb -d sequel.htb -u ryan -p 'WqSZAF6CysDQbGb3' remove uac "S-1-5-21-548670397-972687484-3496335370-1601" -f ACCOUNTDISABLE

#Distinguished Name (DN)
bloodyAD --dc-ip 10.129.222.191 --host dc01.sequel.htb -d sequel.htb -u administrator -c ":administrator.pem" remove uac "CN=Rose Fox,CN=Users,DC=sequel,DC=htb" -f SMARTCARD_REQUIRED

UserAccountControl Flags

Property Flag	Description
`SCRIPT`	The logon script will be run.
`ACCOUNTDISABLE`	The user account is disabled.
`HOMEDIR_REQUIRED`	The home folder is required.
`PASSWD_NOTREQD`	No password is required.
`PASSWD_CANT_CHANGE`	The user can't change the password. It's a permission on the user's object.
`ENCRYPTED_TEXT_PASSWORD_ALLOWED`	The user can send an encrypted password.
`TEMP_DUPLICATE_ACCOUNT`	It's an account for users whose primary account is in another domain. Provides access to this domain but not to trusting domains.
`NORMAL_ACCOUNT`	It's a default account type that represents a typical user.
`INTERDOMAIN_TRUST_ACCOUNT`	It's a permit to trust an account for a system domain that trusts other domains.
`WORKSTATION_TRUST_ACCOUNT`	It's a computer account for a workstation or server that is a member of this domain.
`SERVER_TRUST_ACCOUNT`	It's a computer account for a domain controller that is a member of this domain.
`DONT_EXPIRE_PASSWD`	Represents the password, which should never expire on the account.
`MNS_LOGON_ACCOUNT`	It's an MNS logon account.
`SMARTCARD_REQUIRED`	Forces the user to log on using a smart card.
`TRUSTED_FOR_DELEGATION`	Service account is trusted for Kerberos delegation.
`NOT_DELEGATED`	The security context of the user isn't delegated to a service even if the service account is trusted for Kerberos delegation.
`USE_DES_KEY_ONLY`	Restricts this principal to use only DES encryption types for keys.
`DONT_REQUIRE_PREAUTH`	This account doesn't require Kerberos pre-authentication for logging on.
`PASSWORD_EXPIRED`	The user's password has expired.
`TRUSTED_TO_AUTH_FOR_DELEGATION`	The account is enabled for delegation, allowing it to assume a client's identity and authenticate as that user to other servers.
`PARTIAL_SECRETS_ACCOUNT`	The account is a read-only domain controller (RODC). Removing this compromises security on the server.

Remove dnsRecord

Removes a DNS record of an AD environment.

bloodyAD --dc-ip 10.129.222.191 --host dc01.sequel.htb -d sequel.htb -u administrator -c ":administrator.pem" remove dnsRecord dc02.sequel.htb 10.10.14.206

We can remove options like:

  -h, --help            show this help message and exit
  --dnstype {A,AAAA,CNAME,MX,PTR,SRV,TXT}
                        DNS record type (default: A)
  --zone ZONE           DNS zone (default: CurrentDomain)
  --ttl TTL             DNS record TTL, time in seconds the record stays in DNS caches, must be low if you want to propagate record updates quickly
                        (default: 300)
  --preference PREFERENCE
                        DNS MX record preference, must be lower than the concurrent records to be chosen (default: 10)
  --port PORT           listening port of the service in a DNS SRV record (default: None)
  --priority PRIORITY   priority of a DNS SRV record against concurrent, must be lower to be chosen, if identical to others, highest weight will be chosen
                        (default: 10)
  --weight WEIGHT       weight of a DNS SRV record against concurrent, must be higher with the lowest priority to be chosen (default: 60)
  --forest              if set, registers dns record in forest instead of domain (default: False)

Info

The options must be used if: * The record is not an A type (you must provide other options depending of the type but TTL is always optional). * The record is not in the DOMAIN zone. * The record is in the Forest DNS Partition and Not the Domain DNS Partition.