Hand-on Post-exploitation Penetration and Investigation


Post-exploitation is the phase of intrusion after the adversary compromised the systems by a successful exploitation. Post-exploitation phase is critical for threat actors, but very often to be overlooked. Since the complicated IT infrastructure, exploitation and malware infection are unavoidable, thus tracking the post-exploitation activities become one main task for organization’s blue teams.Generally speaking, it contains activities from persistence, lateral movement, privilege escalation and command & control.

In this course, we start from the leaked tutorial of threat actors, e.g. Conti ransomware group. The tutorial can give us a glimpse about how threat actors do post-exploitation. Then we make hand-on practice of post exploitation techniques with the MITRE ATT&CK matrix as our map.

Next, one important environment - Active Directory (AD) is introduced. While most organizations apply Windows-based OS as their main system, AD which is the core of the domain network of Windows becomes the strategic location for adversary. Moreover, the complexity of the AD system makes it troublesome to configure secure.

In the end, we will both use endpoint and network threat hunting techniques to detect these post-exploitation activities that we conducted in the previous phase.


Name: Bletchley/Chung-Kuan Chen
Bio :

Chung-Kuan Chen is currently a senior researcher in CyCraft, and responsible for organizing the research team, and Adjunct Assistant Professor in Soochow Uiniversity, Taiwan. He earned his PHD degree of Computer Science and Engineering from National Chiao-Tung University (NCTU). His research focuses on cyber attack and defense, machine learning, software vulnerability, malware and program analysis. He tries to utilize machine learning to assist malware analysis and threat hunting, and build automatic attack and defense systems. He has published several academic journal and conference papers, and has been involved in many large research projects from digital forensic, incident response to malware analysis. He also dedicates to security education. Founder of NCTU hacker research clubs, he trained students to participate in world-class security contests, and has experience of participating DEFCON CTF (2016 in HITCON Team and 2018 as coach in BFS team). He organized the BambooFox Team to join some bug bounty projects and discover some CVEs in COTS software and several vulnerabilities in campus websites. Besides, he has presented technical presentations in technique conferences, such as BlackHat, HITCON, CHITB, RootCon, CodeBlue, FIRST and VXCON. As an active member in Taiwan security community, he is the chairman of HITCON review committee as well as director of Association of Hacker In Taiwan, and member of CHROOT - the top private hacker group in Taiwan.

Back to GCC 2022 Taiwan Page