When testing active directory our goals should be to:
gain a foothold on a machine on the domain and elevate our privileges
enumerate the domain to find additional accounts, users, etc. that ideally increase our privilege level on the domain
gain access to the domain controller
persist on the domain (situation dependent)
Assuming that we've already the domain, we should now be focused on gathering credentials to move laterally within the domain.
Cached credential retrieval
Once you have local admin privileges on a domain joined computer you can dump the credentials stored in LSASS and the SAM database.
Mimikatz
mimikatz.exe
privilege::debug
sekurlsa::logonpasswords (dump lsass)
lsadump::sam (dump sam database)
sekurlsa::tickets (to dump tickets stored in memory)
kerberos::list (view cached kerberos tickets for the current user)
Attacks
Kerberoasting
If we find interesting service accounts while enumerating we can export the Kerberos 5 etype 23 hash for offline cracking.
Pass the hash allows attackers to authenticate to a remote system using an NTLM hash.
Many PTH tools require both the LM and NTLM hash as part of the command. If the LM hash is not available you can use a string of 32 zeros in its place.