It is not rare that attackers can gain access to a target victim’s infrastructure. The “Assume Breach” mentality shifts defenders’ focus from initial access to later stages of the attack lifecycle. To better understand these post-exploitation activities (privilege escalation, lateral movement, etc.) security teams can map attacker TTP’s (Tactics, Techniques & Procedures) to corresponding artifacts for defensive purposes. This session will demonstrate this offensive and defensive mapping by performing a given realistic attack and investigating the results to describe the attacker behavior through IOC’s (Indicators of Compromise).