nerdexam
EC-Council

312-50V13 · Question #505

A malicious user has acquired a Ticket Granting Service from the domain controller using a valid user's Ticket Granting Ticket in a Kerberoasting attack. He exhorted the TGS tickets from memory for of

The correct answer is D. invalidate the TGS the attacker acquired. Kerberoasting Incident Response Invalidating the TGS (Ticket Granting Service ticket) the attacker acquired is the most immediate and targeted remediation step, as it directly neutralizes the stolen credential by rendering it unusable before the attacker can complete offline crac

Submitted by priya_blr· Mar 6, 2026System Hacking

Question

A malicious user has acquired a Ticket Granting Service from the domain controller using a valid user's Ticket Granting Ticket in a Kerberoasting attack. He exhorted the TGS tickets from memory for offline cracking. But the attacker was stopped before he could complete his attack. The system administrator needs to investigate and remediate the potential breach. What should be the immediate step the system administrator takes?

Options

  • APerform a system reboot to clear the memory
  • BDelete the compromised user's account
  • CChange the NTLM password hash used to encrypt the ST
  • Dinvalidate the TGS the attacker acquired

How the community answered

(35 responses)
  • A
    3% (1)
  • B
    9% (3)
  • C
    14% (5)
  • D
    74% (26)

Explanation

Kerberoasting Incident Response

Invalidating the TGS (Ticket Granting Service ticket) the attacker acquired is the most immediate and targeted remediation step, as it directly neutralizes the stolen credential by rendering it unusable before the attacker can complete offline cracking and leverage it for lateral movement or privilege escalation. This is typically achieved by resetting the password of the associated service account, which forces the generation of new encryption keys and invalidates any previously issued service tickets.

Why the distractors are wrong:

  • Option A (System reboot): While a reboot clears volatile memory, it does nothing to invalidate already-extracted tickets, which the attacker already possesses offline - the damage is already done.
  • Option B (Delete the account): Deleting the account is overly destructive, disrupts business operations, and is disproportionate as an immediate first step; the stolen ticket may still technically be valid until expiry.
  • Option C (Change NTLM hash): Kerberos Service Tickets are encrypted using the service account's RC4/AES key (derived from the password), not directly the NTLM hash - this option contains a factual mismatch in terminology, making it an inaccurate remediation description.

Memory Tip: Think "Kill the ticket at the source" - in Kerberoasting, the service account password IS the encryption key, so resetting it = invalidating all outstanding TGS tickets. If the ticket can't decrypt, the attack fails!

Topics

#Kerberoasting#Kerberos#Service Account Security#Incident Response

Community Discussion

No community discussion yet for this question.

Full 312-50V13 Practice