Range Scenario · crucible · 30 min
Privilege Escalation: AI Triage of Token-Theft Alerts
This cybersecurity training scenario simulates a working incident. Twelve cybersecurity alerts surfaced privilege escalation activity overnight. An LLM categorizes each by escalation primitive. Verify the categorization and pick the one that needs IR escalation now.
Scenario briefing
You are a Tier 2 cybersecurity analyst on a 3,000-person SOC. Twelve EDR alerts from overnight name privilege-escalation primitives: token impersonation, UAC bypass, kernel exploit, sudo misconfiguration, GPO writeback. An LLM triage tool categorized each.
Your job: validate the LLM categorization, identify the alert that warrants immediate IR escalation, and explain the ATT&CK technique for each. The LLM tends to mislabel SeImpersonatePrivilege abuse as a UAC bypass.
Sources: MITRE ATT&CK TA0004 Privilege Escalation, T1068 Exploitation for Privilege Escalation, T1134 Access Token Manipulation.
What you will practice
- Distinguish kernel exploit, token theft, and UAC bypass primitives
- Map each escalation primitive to the right ATT&CK sub-technique
- Spot LLM mislabeling between similar-sounding privilege escalation classes
- Pick the alert that requires IR over the ones that warrant containment
How this scenario is scored
The scenario has 6 ordered steps. Most steps are exact-match (a MITRE ATT&CK technique ID, a tool name, or a yes/no decision) or multiple choice. Free-text steps queue for manual review and do not affect the auto-final-score in the MVP.
Each step has a max score of 100 points. Hints deduct points up front, listed before you reveal them. Your final score is the sum across steps. Range Elo updates on completion based on scenario difficulty (Intermediate) and your final score percentage.
Frequently asked questions
What is the difference between T1134 and T1068?
T1068 is exploitation of a vulnerability for privilege escalation, like a kernel CVE. T1134 is access token manipulation, where the attacker steals or impersonates a token without exploiting a bug. T1134 is technique-of-design (using Windows the way it works); T1068 is technique-of-flaw (abusing a defect).
Why does the LLM confuse SeImpersonatePrivilege with UAC bypass?
Both involve elevating from a non-admin context to system-level. SeImpersonatePrivilege abuse (Rotten Potato, Juicy Potato) impersonates a service token. UAC bypass tricks the elevation prompt without user consent. The LLM sees 'go from medium to high integrity' and merges them. Defenders read the actual primitive: token-stealing tools versus auto-elevate exploitation.
What signal differentiates IR-grade from containable in this category?
Successful escalation to SYSTEM or domain admin is IR-grade. Failed attempts and escalation that stays within user-tier privileges is containable at Tier 2. Persistence after escalation (new service, scheduled task) is also IR-grade because it implies the attacker is staying.
Course content is for educational purposes only and does not constitute professional advice. All claims are supported by cited peer-reviewed academic research. DecipherU does not teach or reproduce any proprietary sales methodology. Verify all referenced sources independently.
Get cybersecurity career insights delivered weekly
Join cybersecurity professionals receiving weekly intelligence on threats, job market trends, salary data, and career growth strategies.
By subscribing you agree to our privacy policy. Unsubscribe anytime.