At the time, Offensive Security of pre-2019 did not teach us Active Directory, but I quickly learned that since AD is built on top of standard SMB (Server Message Block), you can use techniques like overpassing-the-hash and passing-the-ticket to get a TGT (Ticket Granting Ticket), then attempt to crack the hashes of a different user that may be domain-joined. By compromising the other domain-joined user, you can then begin enumerating other users of the domain and hopefully leak information from the domain controller. Furthermore, you can use malicious SMB shares to spread malware as hta macro payloads in Word documents to trick the client's employees into loading them. Outside of using tools like Responder to coordinate with SMB relays, or generating MOF files and adding them to the share, or using SMB named pipe exploits to compromise domain-joined users as a non-domain-joined user.