5h (edited) • General Discussion 💬
SOC Lab Day 5 - First Real Alert Landed!
I’ve been using RIGGS — a Claude-backed agent running in my terminal — as an orchestration layer, not just a coding assistant.
For Phase 2 of the lab, it:
provisioned a Windows VM over SSH
installed Sysmon
installed and configured the Splunk Universal Forwarder
shipped telemetry to Splunk on my home server
installed Atomic Red Team
ran T1003.001 (LSASS credential dump via ProcDump)
My role: physical access + final decisions.
The most interesting part was watching it hit real-world blockers and work through them.
Defender blocked the attack — and also blocked the usual paths used to disable it.
RIGGS surfaced each blocker, explained why it failed, proposed the remediation, and executed when approved:
execution policy
Defender exclusions
Tamper Protection
LSASS PPL
SSH filtered admin token / missing SeDebugPrivilege
Once those were cleared, ProcDump dumped LSASS in 1.7 seconds.
Then RIGGS checked Splunk and confirmed 19 events. Full kill chain visible.
The split was clean:
AI handles execution and verification.
Human handles approvals, destructive actions, and judgment.
That feels like the real opportunity with AI orchestration.
Not “AI replaces the operator.”
More like the operator stops doing the low-leverage work.
Anyone else running AI this way — as an ops layer with human-in-the-loop checkpoints?
6
5 comments
SOC Lab Day 5 - First Real Alert Landed!
skool.com/ai-automation-society
Learn to get paid for AI solutions, regardless of your background.
Leaderboard (30-day)
1
🔥
+7157
2
🔥
+5028
3
+3641
4
🔥
+3124
5
+1287
Powered by