This talk will be based on TeamT5's extensive experience in providing Managed Detection and Response (MDR) services, exploring the challenges and pain points encountered during the threat hunting process. Through real-world case studies, we will discuss the obstacles faced in live environments and how threat hunting techniques can be leveraged to detect traces of Advanced Persistent Threat (APT) groups, especially in response to their evolving attack strategies.

As enterprises increasingly prioritize cybersecurity, Endpoint Detection and Response (EDR) has become a critical defense tool. However, as adversaries continuously refine their tactics, the arms race between blue teams and red teams grows ever more intense. In this ongoing battle, every improvement in detection is met with new evasion techniques, driving a continuous cycle of adaptation and escalation.

In this session, we will explore the evolution of EDR detection strategies in recent years and analyze how attackers leverage obfuscation techniques to conceal malicious activities, abuse Windows Subsystem for Linux (WSL) to bypass traditional security solutions, and exploit Windows Filtering Platform (WFP)—as seen in EDRSilencer—to manipulate EDR operations. Through real-world case studies, we will examine the challenges these techniques pose to EDR detection and discuss how blue teams can develop proactive defense strategies, shifting from reactive detection to active deception, ensuring EDR remains a step ahead in the ever-evolving threat landscape.