Privilege escalation is often the point where an intrusion shifts from limited access to broader operational control. Attackers take advantage of misconfigurations, weak permissions, and trusted system behavior to elevate privileges quietly and maintain momentum inside an environment. For defenders, these techniques can be difficult to isolate from legitimate administrative activity, especially at scale. This Level 2 workshop focuses on recognizing those subtle signals and building confidence in investigating escalation paths within real telemetry.
Level 2 sessions build on foundational concepts by working through richer datasets, more complex investigative paths, and deeper analytical decision-making. While completing the Level 1 Privilege Escalation workshop is not required, it provides helpful background for hunters who want to refresh the core techniques. You can access the Level 1 session here: Level 1 Privilege Escalation Workshop.
During the session, you’ll work through privilege escalation scenarios that reflect how these techniques appear in production environments. You’ll analyze process behavior, permission changes, authentication artifacts, and system modifications to determine where escalation occurred, how it was achieved, and what it enables next. Threat intelligence is used to inform hypotheses and guide investigative direction rather than relying on isolated indicators.
What to Expect:
By the end of the session, participants will have a clearer framework for identifying privilege escalation behaviors, validating suspicious activity, and applying consistent investigative techniques in operational environments.
Stay informed with our weekly executive update, sending you the latest news and timely data on the threats, risks, and regulations affecting your organization.