How can an attacker identify vulnerable users and perform AS-REPRoasting?

Attackers can use PowerView's `Get-DomainUser -PreauthNotRequired` command to query users with the vulnerable flag (userAccountControl value 4194304). The hash is then exported using tools like ASREPRoast.ps1 or Rubeus (e.g., `Rubeus.exe asreproast`). The extracted hash is formatted as `$krb5asrep$...` and can be cracked with hashcat using mode 18200.