Attackers first gain access to an endpoint, then use enumeration tools to learn about the Active Directory environment and discover privileged accounts and configurations that can enable lateral movement and privilege escalation. They analyze the directory to find the easiest points of access, leveraging outdated, unknown, or improperly secured settings and delegations. Their goal is to spread ransomware or steal data with actions that may not log or can bypass logging.