Network and service discovery
a. Network mapping (Bloodhound)
  - Reachable High value targets
  - High value groups
  - RDP on machines
  - GPO
b. Identifying domain controllers
c. Start responder to capture hash
d. Finding Exposed Services 
    - LDAP
    - SMB
    - Kerberos
    - MSSQL
e. Check if additional interfaces are present on the domain controller (Possible to check with crackmapexec ioxidresolver)

Collecting Active Directory Information
a. Users, groups and members
b. Password policies
c. Network shares and permissions
d. ACLs and permissions
e. Configuring Services and Applications

Recognition of potential vulnerabilities
a. Updating systems and software
b. Analysis of default configurations
c. Search for known vulnerabilities(CVEs)
d. Weak authentication tests

Exploitation of identified vulnerabilities
a. Brute force attacks
b. Using public or custom exploits
c. Injection of scripts or commands
d. Pass-the-hash or pass-the-ticket attacks

Access to sensitive resources
a. Access to read SMB shares on domain controllers
b. Reading configuration files and logs
c. Extraction of sensitive data
    - hashes
    - tickets
    - keys
    - etc

Scanning for Active Directory specific vulnerabilities
a. NoPac Vulnerability
b. Vulnerability PetitPotam
c. Kerberroasting attacks
d. Exploitation of gold and silver tickets
e. "DCSync" and "DCShadow" type attacks

Escalation of local privileges
a. Exploitation of operating system vulnerabilities
b. Abuse of features or services
    - MSSQL
c. Manipulation of tokens and privileges

Privilege escalation within Active Directory
a. Adding a user to privileged groups (ex: Domain Admins)
b. Changing access rights and permissions
c. Creating new accounts with elevated privileges

Maintaining and Concealing Access
a. Creation of backdoors and hidden accounts
b. Use of persistence techniques
  - Task Scheduler
  - Startup Folder
  - Registry AutoRun
c. Erasing traces and logs