Security researchers have explored a method to evade Elastic EDR’s behavioral analysis by utilizing call gadgets, effectively bypassing call stack signature detection. This research builds on Elastic’s transparency regarding its security measures, as it publicly shares detection logic for testing. The technique involves strategically inserting a module into the call stack to disrupt the expected signature, which typically indicates suspicious execution patterns.
By analyzing System32 DLLs, the researchers located controllable call instructions that are not monitored by Elastic’s detection rules. They identified a stable gadget in dsdmo.dll that allowed them to manipulate the call stack without triggering alerts, thus demonstrating the effectiveness of their approach. The researchers informed Elastic of their method, and the company is actively developing updated detection rules to counter this evasion technique. While this innovation bypasses a specific detection rule, Elastic EDR continues to maintain multiple protective layers throughout its operational lifecycle.
👉 Pročitaj original: Cyber Security News
