Now that we have a Domain Admin account, another step that can be taken is to run "DCSync". DCSync effectively impersonates a Domain Controller and requests account password data from the targeted Domain Controller. This will allow an attacker to potentially maintain persistence by acquiring more credentials across the domain.
As always, this is more of a step-by-step walkthrough on how the actions are performed. There are many other blogs that go into further detail on the attack and how to mitigate. I will not be doing that here.
To continue about our example, we will assume the following: