LDAPDomainDump
Using the credential of the compromised info account, I can use ldapdomaindump to get an overview about the target domain.
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hokkaido/ldapdomaindump]
└─$ ldapdomaindump dc.hokkaido-aerospace.com -u 'HOKKAIDO-AEROSPACE.COM\info' -p 'info' -n dc.hokkaido-aerospace.com --no-json --no-grep
[*] Connecting to host...
[*] Binding to host
[+] Bind OK
[*] Starting domain dump
[+] Domain dump finishedComplete
Computers
/Practice/Hokkaido/3-Exploitation/attachments/{F6CF98BD-ECD9-4A00-9405-DEEDBABF10BF}.png)
Users
/Practice/Hokkaido/3-Exploitation/attachments/{5195B969-B5D1-49BA-B1D7-26ADA03CBC94}.png)
/Practice/Hokkaido/3-Exploitation/attachments/{530A2EE9-9D77-454E-9623-52B6D1551E59}.png)
/Practice/Hokkaido/3-Exploitation/attachments/{154DEA59-779F-4FCB-B174-CE3D307D5E81}.png)
Groups
/Practice/Hokkaido/3-Exploitation/attachments/{E27193D6-924B-4C50-9AF6-F3536B0B9C31}.png)
Those are the none default groups
There are groups relevant to WSUS, suggesting that the target system has WSUS installed