Dropping these notes here as a reminder for myself and might be useful for you:
Scanning for services within Active Directory is best done utilising existing functionality to avoid detection. This is best achieved through Service Principal Names.
Sean created a resource page of useful SPNs:
And this is a talk given by Sean earlier this year entitled: Red vs. Blue: Modern Active Directory Attacks & Defense