ExamTopics Logo
Mail Us[email protected]
Menu
Eccouncil Discussions
exam questions

Exam 312-50v12 All Questions

View all questions & answers for the 312-50v12 exam
Go to Exam

Exam 312-50v12 topic 1 question 137 discussion

Actual exam question from ECCouncil's 312-50v12
Question #: 137
Topic #: 1
[All 312-50v12 Questions]

A malicious user has acquired a Ticket Granting Service from the domain controller using a valid user's Ticket Granting Ticket in a Kerberoasting attack. He exhorted the TGS tickets from memory for offline cracking. But the attacker was stopped before he could complete his attack. The system administrator needs to investigate and remediate the potential breach. What should be the immediate step the system administrator takes?

  • A. Perform a system reboot to clear the memory
  • B. Delete the compromised user's account
  • C. Change the NTLM password hash used to encrypt the ST
  • D. Invalidate the TGS the attacker acquired
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by DarioReymag at Feb. 6, 2024, 10:38 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
insaniunt
Highly Voted 1 year, 3 months ago
Selected Answer: D
D. Invalidate the TGS the attacker acquired: This is the best option among the four. Invalidating the TGS ticket will prevent the attacker from using it to access the network service, regardless of whether he cracks the password hash or not. This will effectively stop the Kerberoasting attack and protect the network from further compromise.
upvoted 6 times
...
kennels
Highly Voted 1 year, 2 months ago
Selected Answer: C
If the TGS ticket is disabled but the password is not changed, the attacker should be able to obtain the victim's password through offline cracking of the issued TGS and connect to the network entity, I think.
upvoted 5 times
...
KalingaDev
Most Recent 5 months ago
Selected Answer: C
Changing the password will be more effective, otherwise, the same attack can happen.
upvoted 1 times
...
F4ll3n92
7 months, 4 weeks ago
the question ask the immediate step to do...so, i think that the correct answer is D
upvoted 1 times
...
noyon2002
9 months, 1 week ago
I Think C, the key word her is : But the attacker was stopped before he could complete his attack, that means he cannot access with the ticket acquired, and the after that the sentence said The system administrator needs to investigate and remediate the potential breach, so he should change the NTLM PWD hash used to encrypt the ST
upvoted 2 times
...
49f4430
11 months, 4 weeks ago
Selected Answer: D
You Invalidate the ticket and after you change the password. If you change the password the ticket is still valid... The question ask for immediate action : Action Nr.1 : Invalidate the ticket
upvoted 1 times
...
dellalba
1 year, 1 month ago
Selected Answer: D
The most insidious part about this attack is you can change the password for the KRBTGT account, but the authentication token is still valid. You can rebuild the DC, but that authentication token is still valid.
upvoted 1 times
...
0af6dbd
1 year, 1 month ago
Option C - Change the NTLM password hash used to encrypt the ST because the TGS is encrypted using the target service accounts’ NTLM password hash
upvoted 2 times
...
LordXander
1 year, 1 month ago
Selected Answer: D
The correct answer would be C & D. That would be complete..however, the most correct answer would be D since this would stop the Cyber Killchain (exploitation)...but if I would have this question in the exam...toss a coin
upvoted 1 times
...
Spam_Protection
1 year, 2 months ago
Selected Answer: D
Module 4 P.416: To crack the ST, attackers export the TGS tickets from memory and save them offline to the local system. Furthermore, attackers use different NTLM hashes to crack the ST and, on successfully cracking it, the service account password can be discovered. Attackers use tools such as Kerberoast to perform Kerberoasting attacks on Kerberos authentication.
upvoted 1 times
...
LeongCC
1 year, 2 months ago
Selected Answer: C
ChatGPT checked C
upvoted 2 times
...
przemyslaw1
1 year, 3 months ago
Selected Answer: C
C. Change the NTLM password
upvoted 1 times
...
przemyslaw1
1 year, 3 months ago
C. Change the NTLM password hash used to encrypt the ST because the TGS is encrypted using the target service accounts’ NTLM password hash
upvoted 3 times
...
cloudgangster
1 year, 3 months ago
Selected Answer: D
D is it.
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago