Once an attacker has a domain controller's computer account hash, how can they use it to perform a DCSync attack?

The attacker can use the hash to create a Silver Ticket for the LDAP service on the domain controller via mimikatz, then execute DCSync to dump all domain user hashes. Alternatively, they can use secretsdump.py with the hash to connect directly to the domain controller from any machine (including non-domain-joined) and run DCSync. For example: `python secretsdump.py -hashes :7da530fba3b15a2ea21ce7db8110d57b test/[email protected]`. This effectively grants domain admin privileges. See Domain Penetration - Using MachineAccount to Achieve DCSync for full commands.