In this video, Trenton Ivey, Secureworks Offensive Researcher, Counter Threat Unit and Adversarial Security Testing, gives a demonstration of how, after initial compromise, an attacker would obtain a domain administrator's password using Mimikatz.
We now have administrative level access to a system owned by a domain controller. Let's use MIMIKATZ to try to pull credentials from memory and recover the domain administrator's password. Mimikatz has recovered the user's domain password, this password isn't bad. This credential would've taken a very long time for us to crack.
Fortunately for us, local admin access enabled us to read system memory with Mimikatz and get a clear text domain admin credential. While not the most stealthy approach, let's see if we can get access to the domain controller by using Invoke_wmi once again.
We now have administrative access to the domain controller. Let's use Mimikatz one more time. This time, we'll dump domain user hashes from the LSAs process. There are safer and stealthier ways to do this but this method will be good enough for now. Now we can become anyone we want.
With a KRBTGT token, we can create our own KERBROSE tickets for anyone in the domain. Now the only way for blue team to keep us out of the domain account is to reset the whole domain. All we need to do now is to complete the remaining objectives.