How can an attacker obtain the NTLM hash of a domain controller's computer account?

Attackers can obtain the hash via several methods: exporting from the local registry with mimikatz (`lsadump::secrets`), using DCSync to dump all computer account hashes from the domain controller (as described in Domain Penetration - Obtaining the NTDS.dit File from Domain Controller Servers), leveraging secretsdump.py to remotely connect and extract hashes, or exploiting CVE-2020-1472 (Zerologon) to modify the hash without authentication. The article Domain Penetration - Using MachineAccount to Achieve DCSync details each approach.