Certified Ethical Hacker (CEH v12) — Question 138

A malicious user has acquired a Ticket Granting Service from the domain controller using a valid user's Ticket Granting Ticket in a Kerberoasting attack. He exhorted the TGS tickets from memory for offline cracking. But the attacker was stopped before he could complete his attack. The system administrator needs to investigate and remediate the potential breach. What should be the immediate step the system administrator takes?

Answer options

• A. Perform a system reboot to clear the memory
• B. Delete the compromised user's account
• C. Change the NTLM password hash used to encrypt the ST
• D. Invalidate the TGS the attacker acquired

Correct answer: D

Explanation

The immediate action the system administrator should take is to invalidate the TGS acquired by the attacker, as this prevents any further use of the compromised ticket. Rebooting the system may clear memory but does not address the breach itself, while deleting the user's account or changing the NTLM password hash are not immediate responses to the compromised TGS.