Let's say you found a bunch of ports that are open and it looks like it's an AD box. (Seeing kerberoes port 88 open),etc.

1. HTTP vuln > initial foothold.

2. HTTP vuln (no vuln but some user info) > kerbrute userinfo > create username & password list and cme (crackmapexec) to brute force login > evil-winrm to login.