1.Why is enumerating privileged groups one of the first steps after gaining domain user credentials?
2.Beyond Domain Admins, which group is frequently overlooked but grants significant privileges?
3.Why do nested group memberships create hidden privilege paths?
4.You find a service account (svc_sqlprod) in the Domain Admins group with a registered SPN. Why is this a particularly high-value finding?
5.What is the difference between enumerating group memberships and using BloodHound for privilege path analysis?
6.How would you explain to a client why having 14 accounts in Domain Admins is a finding, even if all are legitimate employees?