Security researchers have developed a new technique that leverages call gadgets to insert arbitrary modules into the call stack during module loading, successfully bypassing Elastic EDR’s signature-based detection rules.
Openness in Elastic EDR Detection Logic
Elastic’s policy of transparency making its detection logic and payload testing tools publicly available has enabled the security community to understand better and challenge its EDR mechanisms.
Unlike many vendors, Elastic allows open access to its detection rules, enabling researchers to simulate and analyze real-world evasion techniques.
Elastic EDR’s detection engine focuses heavily on analyzing call stacks for signs of malicious activity.
Suspicious module loads, such as those initiated from unbacked (i.e., in-memory, not from disk) memory regions, are closely monitored, as these behaviors are strongly associated with attacks like shellcode injection.
Specific rules, such as those that track network modules loaded from unbacked memory, help identify standard techniques used by command-and-control (C2) implants.
Over time, threat actors have devised various methods to evade EDR detection by manipulating call stacks. Techniques such as call stack spoofing and API proxying have been covered in detail within the community.
However, Elastic has responded by introducing additional rules targeting these tactics, often focusing on specific system libraries to reduce false positives and maintain performance.
A typical detection might look for a call stack like:
ntdll.dll|kernelbase.dll|Unbackedor signatures indicative of spoofed or proxied calls. These rules are designed to catch library loads initiated in suspicious contexts.
The newly published research introduces an innovative evasion technique: using call gadgets to insert an arbitrary module into the call stack, thereby breaking the pattern expected by Elastic’s detection rules.
By exploiting controllable call instructions (gadgets) in system DLLs that are not currently targeted by EDR signatures, the researcher can modify the call stack observed during module load operations.
The proof-of-concept leverages a specific call-ret gadget found in an older version of dsdmo.dll.
By jumping to this gadget during network library loading (such as wininet.dll), the inserted module appears in the call stack, disrupting the signature and preventing the alert from triggering. As a result, the previously detectable operation goes unnoticed by the EDR agent.
This method builds on previous research into shellcode obfuscation and callback-based API proxying.
syscall instruction, the alert will triggerHowever, it demonstrates a practical approach to finding real gadgets in widely available DLLs. Even though the tested gadget is from a deprecated version, the research outlines the process for finding similar gadgets in current DLL sets.
This finding only addresses a specific detection bypass related to shellcode-based network module loading.
Elastic’s EDR still offers many additional opportunities to detect malicious activity throughout an attack’s lifecycle. However, this technique underlines the constant evolution of evasion and detection strategies.
Researchers have responsibly disclosed the method to Elastic, which is actively updating its detection rules to address this evasion.
The work highlights the need for ongoing collaboration and transparency within the security community to strengthen cyber defenses continually.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.