CEH v13 follows the Incident Response Lifecycle, which prioritizes identification and analysis before containment, unless there is immediate risk of catastrophic damage. In this scenario, the attacker has escalated privileges, but the organization still needs to understand what actions are being taken, what systems are affected, and whether lateral movement is occurring.
Option C aligns with CEH v13 best practices. Real-time monitoring and documentation allow analysts to:
Identify attacker techniques and tools
Preserve volatile evidence
Understand scope and impact
Implement targeted containment
Immediately powering down the server (Option B) may destroy volatile forensic evidence and disrupt services unnecessarily. Engaging forensic teams (Option A) is important but premature without initial analysis. Running vulnerability scans (Option D) does not address the active threat.
CEH v13 stresses that informed containment is more effective than reactive shutdowns. Therefore, Option C is correct.
