Range Scenario · gauntlet · 40 min
Lateral Movement: AI-Powered Graph Analysis of Identity Logs
This cybersecurity training scenario simulates a working incident. An AI graph cybersecurity model surfaces a path from a marketing user to a domain controller in 7 hops over 4 hours. Read the path, validate each hop, decide if it is an attack chain or admin baseline.
Scenario briefing
You are a senior cybersecurity threat hunter at Example Corp (4,500 employees). Your team deployed an AI graph model that ingests authentication logs, EDR process telemetry, and Microsoft Entra sign-ins. It builds a directed graph of user-to-host-to-host transitions and flags paths that break baseline.
This morning the model flagged a 7-hop path: marketing user MKT-22 to a marketing workstation, then to a finance file server, to a finance jump box, to an admin tier-1 system, to the Active Directory PowerShell admin host, to a domain controller, in 4 hours. The model assigned confidence 0.81.
This scenario tests reading attack graphs, validating each hop against raw evidence, and avoiding the trap of trusting a graph algorithm when the data feeding it is incomplete. Sources: MITRE ATT&CK T1021 Remote Services, BloodHound graph theory papers (Robbins et al. 2018).
What you will practice
- Read identity graph paths and pick the suspicious hop
- Distinguish RDP, SMB, WinRM, and PsExec lateral movement
- Validate AI graph output against raw authentication logs
- Pick containment that stops the path without breaking AD replication
How this scenario is scored
The scenario has 7 ordered steps. Most steps are exact-match (a MITRE ATT&CK technique ID, a tool name, or a yes/no decision) or multiple choice. Free-text steps queue for manual review and do not affect the auto-final-score in the MVP.
Each step has a max score of 100 points. Hints deduct points up front, listed before you reveal them. Your final score is the sum across steps. Range Elo updates on completion based on scenario difficulty (Advanced) and your final score percentage.
Frequently asked questions
What is an attack graph in the BloodHound or AI sense?
An attack graph models principals (users, computers, groups) as nodes and relationships (member-of, has-session, can-rdp-to) as edges. AI variants score paths by anomaly and reachability. Defenders use the graph to find Tier 0 reachable paths and to spot unusual real-time traversal that does not match historical patterns.
Why do graph models false-positive on admin baseline?
Tier 0 admins routinely traverse multi-hop paths during patching, troubleshooting, and migrations. A graph model trained without explicit admin labels will flag legitimate admin work as anomaly. Most mature programs feed in role labels and exclude approved jump-server flows from anomaly scoring.
What is the difference between T1021.001 and T1021.002?
T1021.001 is RDP (Remote Desktop Protocol) on TCP 3389. T1021.002 is SMB / Windows Admin Shares (PsExec, scheduled tasks via SMB, and WMI exec over SMB). Both are common lateral movement; the sub-technique split matters for detection because the network and process signatures differ.
Course content is for educational purposes only and does not constitute professional advice. All claims are supported by cited peer-reviewed academic research. DecipherU does not teach or reproduce any proprietary sales methodology. Verify all referenced sources independently.
Get cybersecurity career insights delivered weekly
Join cybersecurity professionals receiving weekly intelligence on threats, job market trends, salary data, and career growth strategies.
By subscribing you agree to our privacy policy. Unsubscribe anytime.