Researchers Unveil Technique to Bypass Elastic EDR’s Call Stack Detection
In a significant development within cybersecurity, researchers have identified a method to circumvent Elastic’s Endpoint Detection and Response (EDR) system by exploiting call gadgets to evade call stack signature detection. This discovery underscores the continuous evolution of attack techniques and the necessity for adaptive defense mechanisms.
Elastic EDR’s Detection Mechanism
Elastic EDR employs call stack analysis to detect malicious activities, particularly focusing on operations originating from code loaded in memory at runtime rather than from executable files on the disk. This approach is effective in identifying shellcode execution, where operations like loading network modules from suspicious memory locations trigger alerts based on predefined call stack signatures.
Exploiting Call Gadgets to Evade Detection
The research team, known as Almond, discovered that by inserting an additional module into the call stack between standard system libraries, they could disrupt Elastic’s detection patterns. Elastic’s rules often look for specific call stack sequences, such as ntdll.dll|kernelbase.dll|ntdll.dll|kernel32.dll|ntdll.dll, when network modules are loaded. By manipulating these sequences through call gadget exploitation, the researchers successfully avoided detection.
Methodology of the Evasion Technique
The evasion technique involves identifying controllable call instructions within legitimate Windows DLLs that are not monitored by Elastic’s detection rules. The researchers analyzed System32 DLLs to find sequences containing a call instruction to a register followed by a return instruction. They identified a stable gadget in dsdmo.dll that executes call r10, followed by stack cleanup and a return. By redirecting execution to this gadget instead of calling the target function directly, dsdmo.dll appears in the call stack between ntdll and kernelbase, effectively breaking the detection signature while maintaining legitimate execution flow.
Implications and Response
This technique highlights the sophistication of modern evasion methods and the challenges faced by EDR systems in maintaining robust detection capabilities. The researchers responsibly disclosed their findings to Elastic prior to publication. Elastic acknowledged the technique and is actively developing updated detection rules to address this evasion method. The complete proof-of-concept code has been made available on GitHub, demonstrating the ongoing collaboration between independent researchers and EDR vendors to enhance cybersecurity defenses.
Broader Context of EDR Evasion Techniques
This discovery is part of a broader trend where attackers continuously develop new methods to bypass EDR systems. For instance, the Mockingjay technique involves utilizing DLLs with Read-Write-Execute (RWX) sections to inject code into remote processes, effectively evading EDR hooks and executing malicious code undetected. Similarly, the CONTEXT-Only Attack Surface technique focuses solely on execution primitives, eliminating the need for memory allocation or writing operations that typically trigger security alerts. These evolving tactics underscore the importance of continuous research and adaptation in cybersecurity defenses.
Conclusion
The identification of this evasion technique serves as a reminder of the dynamic nature of cybersecurity threats. It emphasizes the need for EDR systems to evolve continually and for organizations to stay informed about emerging threats and mitigation strategies. Collaborative efforts between researchers and security vendors are crucial in developing resilient defenses against sophisticated attack methods.
