A security researcher has released an upgraded evasion tool called EDR-Redir V2 that exploits Windows bind link technology to bypass Endpoint Detection and Response solutions on Windows 11.
This new version takes a different approach from its predecessor by targeting parent directories rather than directly attacking security software folders.
How the Attack Works
The technique relies on a clever manipulation of Windows folder structures that security software depends on.
When antivirus and EDR solutions install on Windows systems, they typically place their files in standard locations like Program Files, Program Files (x86), or ProgramData.
While these security tools protect their own operating folders from unauthorized file writing, they cannot prevent modifications to their parent directories without breaking other legitimate software installations.
EDR-Redir V2 exploits this limitation by creating bind links that redirect entire parent folders.
The tool first queries all subfolders within a target directory, like Program Files, then creates corresponding folders in an attacker-controlled location.
It establishes bind links that create a loop, causing most folders to point back to themselves and function normally.
However, the security software’s folder is deliberately excluded from this loop, forcing it to redirect through the attacker’s controlled directory instead.
This redirection makes the security software believe the attacker’s folder is its legitimate parent directory.
Once this redirection is established, attackers can perform DLL hijacking by placing malicious executable files in the redirected location, potentially gaining code execution privileges while evading detection.
The researcher demonstrated the technique against Windows Defender on Windows 11, which resides in the C:\ProgramData\Microsoft\ directory.
Using the command line tool, EDR-Redir successfully redirected Windows Defender to see C:\TMP\TEMPDIR as its parent folder.
The tool provides console output showing which bind links are created, allowing security researchers to monitor the redirection process.
The attack requires specifying three parameters: the target folder to redirect, the attacker-controlled destination folder, and an exception folder where the link loop should not be created.
This exception is critical for forcing the security software through the redirected path while maintaining normal operation of other system components.
The researcher believes many EDR solutions could be vulnerable to this technique because developers typically do not anticipate parent folders like Program Files being redirected.
This assumption creates a blind spot in security architectures that focus on protecting specific application directories without monitoring the integrity of parent folder structures.
The recommended defense involves monitoring bind link creation and modification for critical system folders.
Security teams should implement detection rules that alert when bind links are established for sensitive directories like Program Files, Program Files (x86), and ProgramData.
Regular integrity checks of folder structures can help identify unauthorized redirections before they can be exploited.
The EDR-Redir V2 tool is publicly available on GitHub, making it accessible to both security researchers and potential threat actors.
Organizations running EDR solutions on Windows systems should evaluate their defenses against this technique and implement appropriate monitoring controls to detect bind link manipulation attempts.
Cyber Awareness Month Offer: Upskill With 100+ Premium Cybersecurity Courses From EHA's Diamond Membership: Join Today
%20(1).webp?resize=1600,900&ssl=1&description=This new version takes a different approach from its predecessor by targeting parent directories rather than directly attacking security software folders.){kind=link}