RpcRemoteFindFirstPrinterChangeNotificationEx
that allows print clients to subscribe to notifications of changes on the print server.DC01's
TGT from the compromised system and impersonates the DC to carry a DCSync attack and dump domain member hashes.target
and server
(DC with spoolss running on it):ws01$
appear like a Domain Controller and extract an NTLM hash for the user offense\spotless
which we know has high privileges in the domain: