Not a lot of people may know this, but even someone with only “Domain User” credentials can read a whole lot of information about Microsoft Active Directory from their personal machine without any sort...
Pentester, 20 year technology professional, lifelong geek and lover of all things tech.
Something fun that worked for me today:
1. Get low priv creds (various methods)
2. Find Exchange servers: https://github.com/aslarchergore/exchange_hunter2
3. Run https://github.com/Ridter/Exchange2domain, an all-in-one tool for privexchange
4. Collect NTDS
5. Remove Replication-Get-Changes-All privileges for owned user