Range Scenario · crucible · 30 min
Endpoint Anomaly Investigation: LLM Process-Tree Summarization
This cybersecurity training scenario simulates a working incident. An EDR alert points to unusual cybersecurity discovery activity on a finance workstation. An LLM summarizes the process tree and proposes a verdict. Read the raw telemetry, verify the summary, decide.
Scenario briefing
You work on a 5,000-person SOC. The EDR raised a Discovery-tactic alert on FIN-WS-031: net.exe, whoami.exe, ipconfig.exe, and nltest.exe ran in sequence within 12 seconds. An LLM summarizer reads the process tree and drafts a one-paragraph verdict.
The raw telemetry shows the user logged in 90 seconds before the discovery activity. The user is a financial analyst with no scripting history. The LLM proposes: 'Likely benign troubleshooting.' You disagree.
This scenario tests Discovery-tactic recognition, the use of LLM summaries as a drafting tool, and the analyst's job to reject summaries that contradict raw evidence. Sources: MITRE ATT&CK TA0007 Discovery, NIST SP 800-61r2 (2012).
What you will practice
- Recognize the Discovery tactic from process telemetry
- Map net.exe, whoami.exe, ipconfig.exe, nltest.exe to specific MITRE techniques
- Identify when an LLM summary contradicts the underlying evidence
- Decide between immediate isolation and watch-and-learn based on context
How this scenario is scored
The scenario has 6 ordered steps. Most steps are exact-match (a MITRE ATT&CK technique ID, a tool name, or a yes/no decision) or multiple choice. Free-text steps queue for manual review and do not affect the auto-final-score in the MVP.
Each step has a max score of 100 points. Hints deduct points up front, listed before you reveal them. Your final score is the sum across steps. Range Elo updates on completion based on scenario difficulty (Intermediate) and your final score percentage.
Frequently asked questions
Why is the Discovery tactic an early-stage indicator?
Discovery activity happens after initial access and before lateral movement. Attackers run commands to map the environment: who they are, what privileges they have, what network they are on, what other systems exist. A burst of discovery commands in seconds, by a user who never runs them otherwise, is a high-signal early-stage indicator.
What does nltest.exe usage indicate?
nltest.exe queries domain trust relationships and domain controller information. It is used by domain admins for diagnostics and by attackers for domain enumeration. On a finance analyst's workstation, nltest.exe is almost never legitimate. The tool maps to MITRE T1018 Remote System Discovery and T1482 Domain Trust Discovery.
Why not auto-isolate on every Discovery alert?
Auto-isolation on Discovery alerts produces too many false positives from sysadmin baseline activity. The cost of a wrong isolation is user disruption. Most mature SOCs combine Discovery telemetry with behavioral context (user role, baseline) before triggering isolation. LLMs help draft that context but cannot replace it.
Course content is for educational purposes only and does not constitute professional advice. All claims are supported by cited peer-reviewed academic research. DecipherU does not teach or reproduce any proprietary sales methodology. Verify all referenced sources independently.
Get cybersecurity career insights delivered weekly
Join cybersecurity professionals receiving weekly intelligence on threats, job market trends, salary data, and career growth strategies.
By subscribing you agree to our privacy policy. Unsubscribe anytime.