312-50V13 · Question #505
A malicious user has acquired a Ticket Granting Service from the domain controller using a valid user's Ticket Granting Ticket in a Kerberoasting attack. He exhorted the TGS tickets from memory for of
The correct answer is D. invalidate the TGS the attacker acquired. Kerberoasting Incident Response Invalidating the TGS (Ticket Granting Service ticket) the attacker acquired is the most immediate and targeted remediation step, as it directly neutralizes the stolen credential by rendering it unusable before the attacker can complete offline crac
Question
Options
- APerform a system reboot to clear the memory
- BDelete the compromised user's account
- CChange the NTLM password hash used to encrypt the ST
- Dinvalidate the TGS the attacker acquired
How the community answered
(35 responses)- A3% (1)
- B9% (3)
- C14% (5)
- D74% (26)
Explanation
Kerberoasting Incident Response
Invalidating the TGS (Ticket Granting Service ticket) the attacker acquired is the most immediate and targeted remediation step, as it directly neutralizes the stolen credential by rendering it unusable before the attacker can complete offline cracking and leverage it for lateral movement or privilege escalation. This is typically achieved by resetting the password of the associated service account, which forces the generation of new encryption keys and invalidates any previously issued service tickets.
Why the distractors are wrong:
- Option A (System reboot): While a reboot clears volatile memory, it does nothing to invalidate already-extracted tickets, which the attacker already possesses offline - the damage is already done.
- Option B (Delete the account): Deleting the account is overly destructive, disrupts business operations, and is disproportionate as an immediate first step; the stolen ticket may still technically be valid until expiry.
- Option C (Change NTLM hash): Kerberos Service Tickets are encrypted using the service account's RC4/AES key (derived from the password), not directly the NTLM hash - this option contains a factual mismatch in terminology, making it an inaccurate remediation description.
Memory Tip: Think "Kill the ticket at the source" - in Kerberoasting, the service account password IS the encryption key, so resetting it = invalidating all outstanding TGS tickets. If the ticket can't decrypt, the attack fails!
Topics
Community Discussion
No community discussion yet for this question.