Pentester, 20 year technology professional, lifelong geek and lover of all things tech.
Something fun that worked for me today:
1. Get low priv creds (various methods)
2. Find Exchange servers: https://github.com/aslarchergore/exchange_hunter2
3. Run https://github.com/Ridter/Exchange2domain, an all-in-one tool for privexchange
4. Collect NTDS
5. Remove Replication-Get-Changes-All privileges for owned user