Detect privilege escalation attempts including token manipulation, UAC bypass, unquoted service paths, kernel exploits, and sudo/doas abuse across Windows and Linux.

mukul975/Anthropic-Cybersecurity-Skills|Updated May 25, 2026

Works with

Claude CodeCursorClineWindsurfCodex

Installation Guide

Select your AI agent

How to use detecting-privilege-escalation-attempts on Cursor

AI-first code editor with Composer

Prerequisites

Before installing skills in Cursor, ensure your development environment meets these requirements:

›Cursor installed and configured on your machine
›Node.js 16+ with npm — verify with node --version
›Active project directory where you want to add detecting-privilege-escalation-attempts

Run the install command

Execute the skills CLI command in your project's root directory to begin installation:

$npx skills install mukul975/Anthropic-Cybersecurity-Skills/detecting-privilege-escalation-attempts

Fetches detecting-privilege-escalation-attempts from mukul975/Anthropic-Cybersecurity-Skills and configures it for Cursor.

Select Cursor when prompted

The CLI shows a list of agents. Use arrow keys and space to select Cursor:

◆ Which agents do you want to install to?

│

│ ── Universal (.agents/skills) ────────────────

│ · Cline · Codex · Goose · Windsurf

│ ●Cursor(selected)

│ · Cursor · Aider · Continue

Verify installation

Confirm successful installation by checking the skill directory location:

.cursor/skills/detecting-privilege-escalation-attempts

Restart Cursor to activate detecting-privilege-escalation-attempts. Access via /detecting-privilege-escalation-attempts in your agent's command palette.

⚠

Security Notice

We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.

Skills execute code in your environment. Always review source, verify the publisher, and test in isolation before production.

›View source on GitHub ›Skills CLI docs ›About Cursor ›What are agent skills?

Documentation

List & Monetize Your Skill

Submit your Claude Code skill and start earning

Get started →

Use Cases

Task Automation & Efficiency

Automate repetitive workflows and reduce manual effort

Example

Generate reports, summarize documents, draft communications

✓

Save 3-5 hours per week on routine tasks

Knowledge Enhancement

Learn new skills, understand complex topics, get expert guidance

Example

Explain concepts, provide examples, suggest learning resources

✓

Accelerate learning and skill development by 2x

Quality Improvement

Enhance output quality through reviews, suggestions, and refinements

Example

Review drafts, suggest improvements, catch errors

✓

Improve work quality by 30-40% with less effort

When to Use

When proactively hunting for indicators of detecting privilege escalation attempts in the environment

After threat intelligence indicates active campaigns using these techniques

During incident response to scope compromise related to these techniques

When EDR or SIEM alerts trigger on related indicators

During periodic security assessments and purple team exercises

Workflow

Formulate Hypothesis: Define a testable hypothesis based on threat intelligence or ATT&CK gap analysis.

Identify Data Sources: Determine which logs and telemetry are needed to validate or refute the hypothesis.

Execute Queries: Run detection queries against SIEM and EDR platforms to collect relevant events.

Analyze Results: Examine query results for anomalies, correlating across multiple data sources.

Validate Findings: Distinguish true positives from false positives through contextual analysis.

Correlate Activity: Link findings to broader attack chains and threat actor TTPs.

Document and Report: Record findings, update detection rules, and recommend response actions.

Concept

Description

T1134

Access Token Manipulation

T1548.002

UAC Bypass

T1068

Exploitation for Privilege Escalation

T1574.009

Unquoted Service Path

Tools & Systems

Tool	Purpose
CrowdStrike Falcon	EDR telemetry and threat detection
Microsoft Defender for Endpoint	Advanced hunting with KQL
Splunk Enterprise	SIEM log analysis with SPL queries
Elastic Security	Detection rules and investigation timeline
Sysmon	Detailed Windows event monitoring
Velociraptor	Endpoint artifact collection and hunting
Sigma Rules	Cross-platform detection rule format

Hunt ID: TH-DETECT-[DATE]-[SEQ] Technique: T1134 Host: [Hostname] User: [Account context] Evidence: [Log entries, process trees, network data] Risk Level: [Critical/High/Medium/Low] Confidence: [High/Medium/Low] Recommended Action: [Containment, investigation, monitoring]

name	detecting-privilege-escalation-attempts
description	Detect privilege escalation attempts including token manipulation, UAC bypass, unquoted service paths, kernel exploits, and sudo/doas abuse across Windows and Linux.
domain	cybersecurity
subdomain	threat-hunting
tags	- threat-hunting - mitre-attack - privilege-escalation - token-manipulation - uac-bypass - proactive-detection
version	'1.0'
author	mahipal
license	Apache-2.0
d3fend_techniques	- Token Binding - Executable Denylisting - Execution Isolation - Restore Access - Reissue Credential
nist_csf	- DE.CM-01 - DE.AE-02 - DE.AE-07 - ID.RA-05

detecting-privilege-escalation-attempts

Installation Guide

How to use detecting-privilege-escalation-attempts on Cursor

Prerequisites

Run the install command

Select Cursor when prompted

Verify installation

Security Notice

Documentation

List & Monetize Your Skill

Use Cases

Task Automation & Efficiency

Knowledge Enhancement

Quality Improvement

Install Skill

Detecting Privilege Escalation Attempts

When to Use

Prerequisites

Workflow

Key Concepts

Tools & Systems

Common Scenarios

Output Format

Implementation Guide

Best Practices

When to Use This

Learning Path

Related Skills

executing-red-team-engagement-planning

performing-purple-team-atomic-testing

performing-cryptographic-audit-of-application

exploiting-deeplink-vulnerabilities

implementing-soar-playbook-with-palo-alto-xsoar

analyzing-network-traffic-with-wireshark

Reviews

Discussion