Security researchers have successfully evaded Elastic EDR’s call stack signature detection by exploiting a technique involving “call gadgets” to bypass the security tool’s behavioral analysis.
The Almond research builds on Elastic’s transparent approach to security, as the company publicly shares its detection logic and allows researchers to test against their protections.
Elastic EDR relies heavily on call stack analysis to identify malicious behavior, particularly detecting when sensitive operations originate from unbacked memory code loaded at runtime rather than from executable files on the filesystem.
Understanding Elastic’s Call Stack and Call Gadgets Work
This pattern typically indicates shellcode execution. When operations like loading network modules occur from suspicious memory locations, Elastic’s detection rules trigger alerts based on specific call stack signatures.
The Almond researchers discovered they could bypass detection by inserting an additional module into the call stack between expected system libraries.
Elastic’s detection rules look for specific call stack patterns, such as the signature “ntdll.dll|kernelbase.dll|ntdll.dll|kernel32.dll|ntdll.dll” when network modules load.
By breaking this signature through call gadget manipulation, the researchers successfully evaded detection.
The technique involves finding controllable call instructions within legitimate Windows DLLs that aren’t monitored by Elastic’s specific detection rules.
Researchers identified suitable gadgets by analyzing System32 DLLs, searching for sequences containing a call instruction to a register followed by a return instruction.
They discovered a stable gadget in dsdmo.dll that executes “call r10” followed by stack cleanup and a return.
By jumping to this gadget instead of calling the target function directly, dsdmo.dll appears in the call stack between ntdll and kernelbase, effectively breaking the detection signature while maintaining legitimate execution flow.
The researchers notified Elastic before publishing their findings. Elastic acknowledged the technique and is developing updated detection rules to address this evasion method.
The complete proof-of-concept code has been published on GitHub, demonstrating the ongoing security research collaboration between independent researchers and EDR vendors.
While this technique bypasses one specific detection rule, Elastic EDR maintains multiple detection layers throughout an implant’s execution lifecycle.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
