Exam 312-50v12 All Questions

View all questions & answers for the 312-50v12 exam

Exam 312-50v12 topic 1 question 137 discussion

Actual exam question from ECCouncil's 312-50v12

Question #: 137
Topic #: 1

A malicious user has acquired a Ticket Granting Service from the domain controller using a valid user's Ticket Granting Ticket in a Kerberoasting attack. He exhorted the TGS tickets from memory for offline cracking. But the attacker was stopped before he could complete his attack. The system administrator needs to investigate and remediate the potential breach. What should be the immediate step the system administrator takes?

A. Perform a system reboot to clear the memory
B. Delete the compromised user's account
C. Change the NTLM password hash used to encrypt the ST
D. Invalidate the TGS the attacker acquired

Show Suggested Answer

Suggested Answer: D 🗳️

by DarioReymag at Feb. 6, 2024, 10:38 p.m.

Comments

Submit Cancel

insaniunt

Highly Voted 1 year, 4 months ago

Selected Answer: D

D. Invalidate the TGS the attacker acquired: This is the best option among the four. Invalidating the TGS ticket will prevent the attacker from using it to access the network service, regardless of whether he cracks the password hash or not. This will effectively stop the Kerberoasting attack and protect the network from further compromise.

upvoted 6 times

...

kennels

Highly Voted 1 year, 4 months ago

Selected Answer: C

If the TGS ticket is disabled but the password is not changed, the attacker should be able to obtain the victim's password through offline cracking of the issued TGS and connect to the network entity, I think.

upvoted 5 times

...

KalingaDev

Most Recent 6 months, 3 weeks ago

Selected Answer: C

Changing the password will be more effective, otherwise, the same attack can happen.

upvoted 1 times

...

F4ll3n92

9 months, 2 weeks ago

the question ask the immediate step to do...so, i think that the correct answer is D

upvoted 1 times

...

noyon2002

10 months, 3 weeks ago

I Think C, the key word her is : But the attacker was stopped before he could complete his attack, that means he cannot access with the ticket acquired, and the after that the sentence said The system administrator needs to investigate and remediate the potential breach, so he should change the NTLM PWD hash used to encrypt the ST

upvoted 2 times

...

49f4430

1 year, 1 month ago

Selected Answer: D

You Invalidate the ticket and after you change the password. If you change the password the ticket is still valid... The question ask for immediate action : Action Nr.1 : Invalidate the ticket

upvoted 1 times

...

dellalba

1 year, 2 months ago

Selected Answer: D

The most insidious part about this attack is you can change the password for the KRBTGT account, but the authentication token is still valid. You can rebuild the DC, but that authentication token is still valid.

upvoted 1 times

...

0af6dbd

1 year, 2 months ago

Option C - Change the NTLM password hash used to encrypt the ST because the TGS is encrypted using the target service accounts’ NTLM password hash

upvoted 2 times

...

LordXander

1 year, 3 months ago

Selected Answer: D

The correct answer would be C & D. That would be complete..however, the most correct answer would be D since this would stop the Cyber Killchain (exploitation)...but if I would have this question in the exam...toss a coin

upvoted 1 times

...

Spam_Protection

1 year, 3 months ago

Selected Answer: D

Module 4 P.416: To crack the ST, attackers export the TGS tickets from memory and save them offline to the local system. Furthermore, attackers use different NTLM hashes to crack the ST and, on successfully cracking it, the service account password can be discovered. Attackers use tools such as Kerberoast to perform Kerberoasting attacks on Kerberos authentication.

upvoted 1 times

...