Security researcher SAERXCIT detailed a novel technique to evade detection rules in Elastic’s Endpoint Detection and Response (EDR) platform, specifically targeting call-stack analysis for shellcode-based module loading.
Published on November 6, 2025, the findings highlight ongoing cat-and-mouse games between defenders and attackers, leveraging Elastic’s open-source detection artifacts to test and refine evasion methods.
While praising Elastic’s transparency unlike many proprietary EDR vendors the post underscores how such openness fosters collective security improvements.
Elastic’s EDR heavily relies on kernel-level call-stack telemetry to flag suspicious behaviors, such as loading network libraries like ws2_32.dll or wininet.dll from unbacked memory, a hallmark of in-memory shellcode used by command-and-control (C2) implants.
Rules scan for patterns indicating operations from dynamically allocated memory, excluding false positives from trusted modules.
However, as SAERXCIT demonstrates, these signatures are vulnerable to manipulation, building on prior techniques like call-stack spoofing and API proxying via thread pool callbacks.
Exploiting Thread Pool APIs For Evasion
The core bypass uses a modified version of Chetan Nayak’s API proxying proof-of-concept, adapted for thread pool APIs (TpAllocWork and TpPostWork) to load libraries asynchronously.
In a baseline test, loading wininet.dll via this method triggered Elastic’s rule for “library loaded via a callback function,” which matches call stacks like “ntdll.dll|kernelbase.dll|ntdll.dll|kernel32.dll|ntdll.dll.”
This alert kills the process, as the stack reveals the callback’s untrusted origin.
To counter this, SAERXCIT inserts a “call gadget” from an innocuous DLL dsdmo.dll (version 10.0.26100.1882) into the stack.
By jumping to a sequence in dsdmo.dll that calls a register (holding LoadLibraryA’s address) followed by a return, the stack now includes dsdmo.dll between ntdll.dll and kernelbase.dll, disrupting the signature.
This gadget, found via disassembly of System32 DLLs, avoids detection because dsdmo.dll isn’t on Elastic’s watched list of suspicious modules.
The technique requires pre-loading the older DLL to access the gadget, but it evades the rule without crashing, allowing seamless network module loading.
Implications and Future Defenses
Tested on Elastic EDR 9.2.0, this method fills a critical gap for C2 implants but doesn’t guarantee full stealth other rules may catch ancillary behaviors.
SAERXCIT notes the gadget’s instability across Windows updates, emphasizing tools like Winbindex for version hunting. Elastic has been notified and is updating rules accordingly.
The proof-of-concept code is publicly available, inviting further research into multi-parameter API calls and broader evasions.
This work reminds the industry that while call stacks offer rich telemetry, targeted blind spots persist, urging continuous rule evolution.
 platform){kind=link}