As enterprises increasingly prioritize cybersecurity, Endpoint Detection and Response (EDR) has become a critical defense tool. However, as adversaries continuously refine their tactics, the arms race between blue teams and red teams grows ever more intense. In this ongoing battle, every improvement in detection is met with new evasion techniques, driving a continuous cycle of adaptation and escalation.

In this session, we will explore the evolution of EDR detection strategies in recent years and analyze how attackers leverage obfuscation techniques to conceal malicious activities, abuse Windows Subsystem for Linux (WSL) to bypass traditional security solutions, and exploit Windows Filtering Platform (WFP)—as seen in EDRSilencer—to manipulate EDR operations. Through real-world case studies, we will examine the challenges these techniques pose to EDR detection and discuss how blue teams can develop proactive defense strategies, shifting from reactive detection to active deception, ensuring EDR remains a step ahead in the ever-evolving threat landscape.

Since the first known use of a UEFI Bootkit in 2018 by Lojax, a wave of similar threats has emerged, including MosaicRegressor, TrickBot, FinSpy, Especter, MoonBounce, CosmicStrand, and BlackLotus—sold on dark web marketplaces in 2022 and later open-sourced in 2023. This trend highlights the growing cybersecurity threat posed by UEFI Bootkits.

This presentation will provide an overview of Bootkit-related research, starting with fundamental UEFI background knowledge before focusing on how attackers bypass Secure Boot to execute malicious EFI applications and achieve persistence. Unlike BYOVD (Bring Your Own Vulnerable Driver) attacks, Bootkits intervene at the earliest stage of system startup, affecting the initialization of various OS components. Additionally, Bootkits can modify SPI Flash, allowing them to persist even after the operating system is reinstalled.

The session will also analyze the technical aspects of these attacks, including methods for bypassing security mechanisms and execution techniques during the Boot Loader phase. Potential detection and defense strategies will be explored, as well. While traditional antivirus solutions struggle to counter threats at the boot stage, attack preparation activities and post-exploitation behaviors can provide crucial detection opportunities. By shedding light on these threats, this presentation aims to raise awareness of UEFI Bootkits and their impact on modern cybersecurity.