Bypass Record

EDR Unhooking × Elastic EDR

A publicly-reported instance of EDR Unhooking bypassing Elastic EDR, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Elastic EDR

Technique

EDR Unhooking

MITRE ATT&CK

T1562.001

Confidence

High

Severity

High

Status

poc

Disclosed

2025-11-06

Config / version noted

Not stated

Provenance

radar.offseq.com
disclosed 2025-11-06 · original source · via raw

Reported as

evade Elastic EDR's call stack signature detections by using call gadgets

Mechanism

Uses 'call gadgets'—small code snippets—to manipulate the call stack, altering the sequence of function calls to evade Elastic EDR's signature-based behavioral detection that relies on expected call stack patterns.

Detection & mitigation

Monitor for unusual call stack behaviors or unexpected control flow patterns using endpoint telemetry that captures execution traces. Implement anomaly-based detection and conduct threat hunting for call stack manipulations.

EDR Unhooking has also been recorded against

all major EDR solutions Bitdefender CrowdStrike major EDR vendor (unnamed)Microsoft Palo Alto Networks SentinelOne Sophos

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.