LAPS password retrieval activity can be logged via directory service advanced auditing, specifically event ID 4662, after configuring the appropriate…
https://sra.io/blog/automated-detection-rule-analysis-with-dredd/
https://sra.io/blog/selective-kerberoast-prevention-using-dacls/
 
https://sra.io/blog/aws-iam-exploitation/
https://sra.io/blog/updated-results-from-the-mitre-attck-edr-evaluation/
https://sra.io/blog/a-closer-look-at-mitre-attck-evaluation-data/