Key AD attacks:
Kerberoasting (request service tickets, crack offline),
AS-REP Roasting (request hash for pre-auth disabled accounts),
DCSync (replicate all hashes from DC),
Golden/Silver tickets.
Kerberoasting targets service accounts with SPNs — request TGS ticket, crack the service account's password offline. Defense: service accounts should have complex 25+ char passwords (managed service accounts). DCSync requires Domain Admin — the ultimate goal of AD attacks.