Active Directory Health Assessment - A poorly maintained AD environment has more exposure. Replication failures, DNS issues, and stale accounts all create openings.

Active Directory Trust Security - Attackers enumerate trust relationships first. A misconfigured trust can give access to a higher-privilege domain without needing to compromise it directly.

Duplicate SPNs - Duplicate SPNs force Kerberos to fall back to NTLM, creating the conditions that make the next steps easier

Kerberoasting - Attacker requests service tickets for accounts with SPNs and cracks them offline to obtain service account credentials.

AS-REP Roasting - Attacker targets accounts with pre-authentication disabled, no credentials needed to request a crackable hash.

Unconstrained Kerberos Delegation - With a foothold on a server configured for unconstrained delegation, the attacker harvests TGTs from every privileged user who connects, including domain admins.

DCSync Attack - With sufficient privileges obtained through the steps above, the attacker pulls every password hash in the domain without touching a domain controller.