GCC

Breakfast

08:00 ~ 09:00

Opening / Ethics / Groupwork

09:00 ~ 12:00

Keynote: etc

Speaker: etc

etc

Lunch

13:00 ~ 14:00

Introduction to IoT/ICS Security & Firmware Analysis Skills

14:00 ~ 18:00

In recent years, cybersecurity incidents in the Internet of Things (IoT) and critical infrastructure sectors, such as refining, power generation, and smart manufacturing, have been numerous, with IoT/Industrial Control Systems (ICS) attacks occurring in countries worldwide. Consequently, these security issues are receiving increasing attention. However, there is a significant gap in the background knowledge of IoT/ICS security practitioners. Therefore, this course is specifically designed for students from diverse backgrounds, enabling them to gain a comprehensive understanding of the intricacies of IoT/ICS security. This course will provide a thorough and accessible foundational knowledge of IoT/ICS, encompassing attack vectors and analysis of various practical tactics. Students will also engage in over five practical exercises.

Trainer: Mars Cheng

Mars Cheng (@marscheng_) is the Head of the Cyber Threat & Product Defense Center at TXOne Networks Inc., where he leads three core subgroups: PSIRT, the Advanced Threat Research Group, and the Threat Operation Group, focusing on research into emerging security threats. He also serves as the Executive Director of the Association of Hackers in Taiwan (HIT/HITCON), a Review Board Member for both HITCON Conference and Training, the General Coordinator of HITCON CISO Summit 2025, and a Cybersecurity Auditor for the Taiwan Government. In these roles, he plays a pivotal part in fostering collaboration between industry and government to strengthen national cybersecurity resilience.
Mars specializes in ICS/SCADA security, malware analysis, threat intelligence and hunting, blue teaming, and enterprise defense. As a seasoned speaker, Mars has delivered over 60 presentations at prominent international cybersecurity conferences, including Black Hat USA, Europe, and MEA, RSA Conference, DEF CON, CODE BLUE, FIRST, HITB, HITCON, Troopers, NOHAT, SecTor, S4, SINCON, and ROOTCON, among others. He is also an experienced cybersecurity instructor, having delivered over 35 training sessions at events such as Global Cybersecurity Camp (GCC) 2024, HITCON Training (2025, 2022, 2021, 2020, 2019), NICS Elite Practical Training Taiwan (2025–2022), and for various ministries in Taiwan, including National Defense, Economic Affairs, Education, and Finance, as well as for publicly listed companies.
Mars has successfully organized several HITCON events, including the HITCON CISO Summit (2023, 2024), HITCON PEACE 2022, and HITCON 2021 & 2020.

Dinner

18:00 ~ 19:00

Groupwork

19:00 ~ 22:00

Breakfast

08:00 ~ 09:00

Practical Binary Hardening with Control-flow Enforcement Technology (CET)

09:00 ~ 13:00

In recent years, many attacks on software have originated from memory safety issues. According to a 2023 report by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), many serious vulnerabilities are still related to memory corruption, which attackers exploit to execute malicious code and take over systems [^cisa]. To counter these threats, Intel proposed Control-flow Enforcement Technology (CET). CET provides a new mechanism to prevent attackers from hijacking control flow and is utilized on major platforms, including Windows.

Currently, although CET is gaining attention as a modern security mechanism, it is not yet widely adopted in general software. One reason for this, in addition to issues with hardware and OS support, is that developers lack a sufficient understanding of CET's mechanisms and the benefits of its adoption. This training will systematically cover CET from its fundamentals to its applications, and through practical examples, we will explore why its adoption is lagging and discuss its future prospects.

In this training, we will learn about CET, a modern OS security feature, and its mechanisms. Furthermore, we will cover the implementation differences across various operating systems and compilers. Through hands-on sessions, participants will observe the behavior of applications in a CET-enabled environment and analyze binaries to determine if they have CET support.

By the end of this training, participants will understand the fundamental mechanisms of CET and be able to explain the implementation differences across major operating systems like Windows and Linux. Additionally, they will acquire the skills to investigate and analyze CET support at the compiler and binary levels. Through hands-on debugging and analysis in a practical environment, they will gain a tangible understanding of how CET actually works and which types of attacks it is effective against.

Trainer: Michael / Kento Oki

Michael is a security researcher with a focus on automated binary analysis, reverse engineering, and threat intelligence. DEF CON CTF finalist (2023–2025), instructor at Security Camp Japan (Threat Analysis Track), GCC Alumni, and GSoC contributor with FLARE/Mandiant.

Kento Oki is a security researcher specializing in kernel exploitation, binary hardening, and Windows kernel internals. Since beginning his cybersecurity journey in 2020, his discoveries of vulnerable drivers have led to the disclosure of several critical CVEs. Given his expertise, he has also been actively working in the game security domain.

Lunch

13:00 ~ 14:00

Hypervisors for Hackers: Security from the Hardware Up

14:00 ~ 18:00

Ever wonder how modern phones, game consoles, and operating systems use virtualization to stay secure--even against powerful kernel exploits?

In this hands-on class, you'll dive deep into hardware-assisted virtualization and hypervisors--by building one yourself. Using Intel VT-x and Rust, we'll create a lightweight hypervisor capable of running Windows 11. Then, we'll go further: designing a custom protection mechanism to defend the guest OS from kernel-mode attacks.

This isn’t just theory. You'll walk away with practical skills and a working foundation you can extend for security research, fuzzing, reverse engineering, or breaking and customizing real-world hypervisors. Whether you're into low-level systems, secure software, or platform security architecture, this class is your launchpad into the world of virtualization-based security.

Come ready to code. Leave with your own hacking hypervisor.

Trainer: Satoshi Tanda

Satoshi is a system software engineer and security researcher with over 15+ years of experience. He works on virtualization and security for game consoles, and previously worked as a developer, researcher, and malware reverse engineer at security software vendors.

He enjoys learning and teaching low-level technologies. He has trained over 200 professionals at reputable conferences, including OffensiveCon, Recon, and Hexacon, as well as Security Camp and GCC, for the next generation of security and low-level technology enthusiasts.

Dinner

18:00 ~ 19:00

Groupwork

19:00 ~ 22:00

Breakfast

08:00 ~ 09:00

Super Hat’s Kernel Trick: Social Engineering the AV/EDR Kernel Protection

09:00 ~ 13:00

Under today's heavily guarded, multi-layered endpoint defenses, stealthy red team operations are becoming increasingly difficult—especially when facing modern AV/EDR systems armed with kernel callbacks. But is the Windows kernel truly bulletproof? Not quite ;)

This course systematically exposes the architectural flaws in how modern AV/EDRs interact with kernel security and privilege boundaries. Through deep understanding of Windows internals, attackers can bypass most protections without using a single kernel exploit. By pivoting across over-trusted tokens and socially engineering AV trust assumptions, we’ll demonstrate how AV/EDRs can be lured into sandboxing themselves—without even realizing it.

We’ll break down the "three walls" of modern AV/EDR kernel protection: real-time scanning, anti-tampering, and Protected Process Light (PPL). Without crashing a single byte, participants will learn to use IDA to reverse modern Windows internals, identify and weaponize their own kernel vulnerabilities, and build read/write primitives from scratch.

From there, we move to full kernel-mode weaponization—all from userland. Students will implement real-world techniques like local privilege escalation, disabling DSE, stripping AV callbacks, wiping protection structures, and implanting backdoors inside AV/EDR drivers themselves.

This is not a crash course in exploitation. It’s a blueprint for taking full control of a “protected” Windows system—by thinking like the kernel, and abusing what defenders trust the most.

Trainer: Shenghao Ma

Shenghao Ma (@aaaddress1) is Team Lead of Cyber Threat & Product Defense Center, TXOne Networks Inc., responsible for coordinating product security and threat research. With over 15 years of hands-on experience, his research focuses on reverse engineering, symbolic execution, AI/ML, NLP, compiler practice, and malware analysis.

As a frequent speaker and trainer, Shenghao has contributed to numerous international conferences and organizations, such as Black Hat USA/MEA, DEFCON, CODE BLUE, S4, SECTOR, HITB, VXCON, HITCON, AVTOKYO, and ROOTCON, as well as the Ministry of National Defense and the Ministry of Education. He was honored to be the Hall of Fame Speaker at CYBERSEC, the largest cybersecurity exhibition in Taiwan. He is also a review board member for HITCON and the author of the bilingual cybersecurity book "Windows APT Warfare: The Definitive Guide for Malware Researchers."

Lunch

13:00 ~ 14:00

Super Hat’s Kernel Trick: Social Engineering the AV/EDR Kernel Protection (Continue)

14:00 ~ 18:00

Dinner

18:00 ~ 19:00

Groupwork

19:00 ~ 22:00

Breakfast

08:00 ~ 09:00

Born in the Cloud, Breached on the On-Prem: Entra ID Attack Chains

09:00 ~ 13:00

"It’s not an exploit. It’s a feature."

Microsoft’s Entra ID (formerly Azure Active Directory) is a cloud-based identity and access management system used by over 90% of Fortune 500 companies. As organizations adopt more cloud-native infrastructure, Azure has become one of the most widely used cloud providers, and Microsoft 365 remains a dominant productivity platform. Based on our observations, approximately 80% of schools have adopted Microsoft 365 as their primary productivity suite. In these environments, leveraging Entra ID becomes nearly unavoidable — whether for identity federation, conditional access, or device management.

For organizations without traditional Active Directory but with a need to manage employee devices, Entra Joined has become a common choice. This feature allows devices to register directly with Entra ID, enabling centralized identity enforcement without requiring on-prem Active Directory. While convenient, this approach also introduces new attack surfaces — particularly when Entra ID is used as the backbone of authentication across services.

This course explores the real-world attack paths introduced by Entra Joined devices as an initial access foothold, leading to full Entra ID compromise. We demonstrate how adversaries can compromise a single machine, pivot into Entra ID, and abuse the trust relationships established through Entra Join to escalate privileges and move laterally — ultimately achieving persistence across both cloud and on-prem environments.

Students will begin by understanding the fundamentals of Entra ID and how Entra Joined works under the hood, including what changes occur on a device upon registration. We then shift to an attacker’s perspective and focus on one of the most critical and fast-growing threats in Entra ID environments: the token replay attack. Using tools like az CLI, roadtools, and mimikatz, students will simulate how tokens — especially the Primary Refresh Token (PRT) — can be extracted from Entra Joined devices and reused to access cloud resources. According to Microsoft, this class of attack has increased by 111% year-over-year, highlighting its rising impact. Through hands-on labs, students will see how token theft can directly lead to cloud asset compromise.

From there, we demonstrate how attackers can identify high-privilege targets within Entra ID and use Entra Pass-the-Cert to move laterally between Entra Joined machines on-prem. The course culminates in showing long-term persistence in Entra ID, including injecting credentials into Service Principals and registering rogue devices to obtain persistent MFA claims — enabling continued access even after user credentials are revoked.

Students will experience a complete modern identity attack chain, from initial access, privilege escalation, lateral movement, to long-term persistence across identity boundaries.

Trainer: JimmySu (Jiun-Ming, Su) / John Jiang (Shang-De, Jiang)

Jimmy Su currently working at CyCraft as a Cyber Security Researcher, holds a master’s degree in Information Security from NTHU. His work focuses on attacks involving Active Directory, Cloud, and identity-related security. Jimmy holds certifications including eJPT, CRTO, ARTA, and GRTA. He has presented at conferences such as CyberSec, HITCON 101, SECCON, SO-CON, and co-authored a talk at ROOTCON. He has also delivered technical training and workshops, and shared his expertise with various organizations, including government agencies, ISPs, and academic institutions in Taiwan.

Shang-De Jiang is a deputy director of the research team of CyCraft. Currently, he focuses on research on Incident Response and Endpoint Security and Microsoft Security. He has presented technical presentations in non-academic technical conferences, such as BlackHat USA, DEF CON, TROOPERS, HITB, HITCON, CodeBlue, Blue Team Summit. He is the co-founder of UCCU Hacker the private hacker group in Taiwan.

Lunch

13:00 ~ 14:00

Hands On Cybersecurity AI Workshop: Build your own Automated Agentic AI Penetration Tester in N8N & Car Hacking

13:00 ~ 18:00

In this hands-on training, you'll learn how to design and deploy an automated AI-driven workflow in n8n to automate penetration testing tasks. The workflow will:

Execute commands on target IPs (e.g., Nmap scans, vulnerability checks)
Parse and analyze results (extract open ports, services, CVEs)
Leverage AI (LLM/GPT) to suggest next steps (prioritized exploits, misconfigurations, remediation tips)
Implement conditional workflow logic for dynamic response to findings

N8N’s intuitive interface allows you to design sophisticated automation flows without advanced AI expertise, allowing future-proof flexibility to easily modify and expand your workflows as new tools and techniques emerge.

Trainer: Kar Wei Loh

Kar Wei Loh is a Cybersecurity researcher, CREST and OSCP Certified Penetration Tester, and experienced trainer with a passion for strengthening cyber resilience through hands-on education. She has 2 accredited CVEs and has spoken at international conferences like Black Hat Asia before, presenting on new research innovations like code variant analysis to technical international audiences when she was just 19.

She is the founder of Hexcore Labs, an Singapore-based innovative Edtech company specialising in Cybersecurity & AI education. At Hexcore Labs, we develop Browser-based Unity games under our AgentHex arm simulating real-world cybersecurity scenarios, Cloud-hosted cyber ranges featuring intentional vulnerabilities for hands-on cybersecurity training and AI-driven content leveraging LLMs and automation workflows.

Her work bridges the gap between theoretical knowledge and real-world application, making cybersecurity and AI training more effective, scalable, and accessible.

Dinner & Industrial Session

18:00 ~ 22:00

Breakfast

08:00 ~ 09:00

Closing / Groupwork Presentation

09:00 ~ 12:00

Lunch

13:00 ~ 14:00