Not a lot of people may know this, but even someone with only “Domain User” credentials can read a whole lot of information about Microsoft Active Directory from their personal machine without any sort...
Something fun that worked for me today:
1. Get low priv creds (various methods)
2. Find Exchange servers: https://github.com/aslarchergore/exchange_hunter2
3. Run https://github.com/Ridter/Exchange2domain, an all-in-one tool for privexchange
4. Collect NTDS
5. Remove Replication-Get-Changes-All privileges for owned user
