Certified Ethical Hacker (CEH v13) — Question 14

A malicious user has acquired a Ticket Granting Service from the domain controller using a valid user's Ticket Granting Ticket in a Kerberoasting attack. He exhorted the TGS tickets from memory for offline cracking. But the attacker was stopped before he could complete his attack. The system administrator needs to investigate and remediate the potential breach. What should be the immediate step the system administrator takes?

Answer options

• A. Perform a system reboot to clear the memory
• B. Delete the compromised user's account
• C. Change the NTLM password hash used to encrypt the ST
• D. Invalidate the TGS the attacker acquired

Correct answer: C

Explanation

The immediate step should be to change the NTLM password hash used to encrypt the ST because it directly mitigates the risk of the compromised tickets being used. Rebooting the system may clear memory but does not address the root cause. Deleting the user's account may not be necessary if the password hash is changed, and invalidating the TGS alone does not secure the ST without also changing the password hash.