BadBlood Featured

BadBlood: Active Directory object creator and security generator

We all know the issue. You just installed Active Directory Domain Services but everything is empty. To start testing you need to create all sorts of objects which cost a lot of time. This is where BadBlood comes to rescue.

Create Real World Active Directory domains

BadBlood is a collection of scripts developed by David Prowe from Secframe. It eliminates the manual labor for creating real-world content in your Active Directory domain for testing or research. For example, it creates a lot of User objects filled with full names, complex passwords, and a structure of Organisation Units. This takes care of the whole process for creating this manually.

Besides the Users and OU’s there this tool also address the need for Groups and Permissions. This completes the whole real-world scenario to deploy a test domain as quickly as possible. The only thing you need to manually do is install the ADDS role and create the initial domain. Of course, you can also automate that part with a script.

I found BadBlood in a post of Daniel Dieterle a.k.a Cyberarms in his Instagram stories. He has some nice content on there, so be sure to follow him.

Quick deployment of a test domain

This script could not come at a better time. I was just deploying a new Microsoft Windows Server 2019 Domain Controller to build a quick test domain on virtualbox. I downloaded a trial ISO for the installation and did the next-next-finish thing to deploy the machine. After that the usual stuff of chaning the hostname and update this bad boy with the lastest patches.

Before you can start and use this script you need to install the Active Directory Domain Services role. When choosing this role on Windows Server 2019 it will automatically install all the management tools. I also deploy the DNS server role and create the zones prior to the installation. Here is a quick Powershell example of my Domain Controller promotion.

Import-Module ADDSDeployment

Install-ADDSForest `
-CreateDnsDelegation:$false `
-DatabasePath "C:\Windows\NTDS" `
-DomainMode "WinThreshold" `
-DomainName "cybertron.local" `
-DomainNetbiosName "CYBERTRON" `
-ForestMode "WinThreshold" `
-InstallDns:$true `
-LogPath "C:\Windows\NTDS" `
-NoRebootOnCompletion:$false `
-SysvolPath "C:\Windows\SYSVOL" `

Since this blogpost is not about the installation of the Domain Controller itself, I leave that up to you. Let’s say it is ready and configured the way you like. We can now start and deploy the real-world content in it, since it is a bit empty now.

Empty Active Directory domain before using BadBlood

The first thing you need is to download or clone the BadBlood repository from GitHub. If you have the Git client installed, you can do this with an easy onliner.

git clone

I have the scripts ready for action. There are a few files in the repository, but the only one you need is Invoke-BadBlood.ps1.

BadBlood repository contents

After some disclaimer questions (because you do NOT want to run this in a production environment) the script starts to deploy all the objects.

BladBlood starting to deploy objects and security

While the script runs, you see the different stages passing by. All of the stages below are run to create that sweet domain content you where looking for.

  • Creating Tiered OU Structure
  • Creating Users on Domain
  • Creating Groups on Domain
  • Creating Computers on Domain
  • Creating Permissions on Domain
  • Nesting objects into groups on Domain

After BadBlood is finished, you’ll end up with something that looks like this. But, never with the same content. BadBlood randomizes everything on every run. As you can see I have a nice OU structure in my domain and lots of users. The users are also added to groups to make for a real world nesting.

Newly created users with nested groups in Active Directory domain

A nice feature of BadBlood is also the permissions on User objects themself. As you can see in the example below the User FREDA has Full Control on MARA’s User object. This makes looking a possible privilege escalation routes more realistic.

Security permissions on Active Directory User.

BadBlood saves a huge amount of time

Every now and then you just want to have an Microsoft Active Directory domain to try your new found magic on. BadBlood not only makes this job very less time consuming, it also provides you with an automated real worls scenario. And since a good hacker is a lazy hacker (in terms of doing manual stuff), I really recommend using BadBlood.


Ethical Hacker | Cybersecurity enthusiast | Always looking to expand my knowledge | got root?

Add comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Your Header Sidebar area is currently empty. Hurry up and add some widgets.