🔥 3-day streak
CompTIA CySA+ (CS0-003)140 / 147
Question 140 of 147

A SOC analyst is reviewing Windows domain controller security logs after a threat-hunting hypothesis suggested an attacker may be attempting to obtain service account credentials offline. The analyst notices a single workstation account requesting a large number of Event ID 4769 (Kerberos service ticket requested) entries in a short window, with the ticket encryption type field showing 0x17 (RC4-HMAC) for many different service principal names. Which attack technique is most likely occurring?

Reviewed for accuracy · Report an issueNext question