Many enterprises heavily rely on the Active Directory (AD) as the backbone for user and asset management, distributing software updates, and related unified control mechanisms. While AD offers rich and diverse functionalities, it also leads to security risks directly or indirectly due to improper configuration settings by administrators for convenience, among other reasons. Moreover, the internal network structure of large enterprises is relatively complex, making it difficult to promptly detect ongoing attacks in the absence of comprehensive detection mechanisms. This presentation will start with the blue team's perspective, sharing how the core authentication mechanism of domain services - the Kerberos protocol operates, the attack techniques closely related to the Kerberos protocol, and how to detect such attacks in order to prevent attackers from taking over the enterprise domain services effectively and promptly.