Privilege Escalation: AI Triage of Token-Theft Alerts

AI for Cybersecurity · 6 steps

Briefing

You are a Tier 2 cybersecurity analyst on a 3,000-person SOC. Twelve EDR alerts from overnight name privilege-escalation primitives: token impersonation, UAC bypass, kernel exploit, sudo misconfiguration, GPO writeback. An LLM triage tool categorized each.

Your job: validate the LLM categorization, identify the alert that warrants immediate IR escalation, and explain the ATT&CK technique for each. The LLM tends to mislabel SeImpersonatePrivilege abuse as a UAC bypass.

Sources: MITRE ATT&CK TA0004 Privilege Escalation, T1068 Exploitation for Privilege Escalation, T1134 Access Token Manipulation.

How Crucible mode works

One ordered pass through every step. No clock. Each answer scores against the canonical solution.

Hints reduce the points you can earn for that step. Free-text steps queue for manual review.

What you will practice

01Distinguish kernel exploit, token theft, and UAC bypass primitives
02Map each escalation primitive to the right ATT&CK sub-technique
03Spot LLM mislabeling between similar-sounding privilege escalation classes
04Pick the alert that requires IR over the ones that warrant containment

Back to Range