Security researcher TwoSevenOneT has released EDR-Redir V2, an upgraded evasion tool that exploits Windows bind link technology to bypass endpoint detection and response solutions on Windows 11.
The new version demonstrates a sophisticated approach to redirecting security software by manipulating parent directories rather than directly targeting protected EDR folders.
Novel Attack Methodology Targets Parent Folders
Unlike the original EDR-Redir tool that created bind links directly to antivirus and EDR executable folders, version 2 employs a different strategy targeting parent directories such as Program Files or ProgramData.
The researcher discovered that while EDR solutions protect their operating folders from unauthorized file writing, they cannot prevent modifications to parent directories without disrupting legitimate software installations across the system.
The technique creates a circular bind link structure where folders point back to themselves through an attacker-controlled temporary directory.
EDR-Redir V2 first queries all subfolders within the target parent directory, then creates corresponding folders in an attacker-controlled location like C:TMPTEMPDIR.
The tool establishes bind links creating a loop that causes folder access to circle back through the temporary directory, deliberately excluding the EDR’s specific folder from this loop.
In a proof-of-concept demonstration, the researcher successfully redirected Windows Defender on Windows 11. Windows Defender operates from C:ProgramDataMicrosoftWindows Defender, making the ProgramDataMicrosoft folder the attack target.
Running EDR-Redir with specific parameters successfully forced Windows Defender to perceive the attacker-controlled temporary directory as its parent folder, enabling potential DLL hijacking attacks.
The tool execution requires three parameters: the folder to redirect, the target location, and the exception folder that should remain unlinked.
During execution, EDR-Redir displays console information about created bind links for monitoring purposes, confirming successful redirection of the security software.
The researcher suggests this technique could affect numerous antivirus and EDR solutions, as many developers may not anticipate parent directories like Program Files being redirected during normal operations.
Once an attacker successfully compromises the parent folder, EDR protection of operating directories becomes ineffective.
The technique opens pathways for DLL hijacking by allowing attackers to drop malicious executable files into the redirected temporary directory.
Security teams can defend against this attack vector by implementing monitoring for bind link creation attempts targeting critical system folders like Program Files and ProgramData.
The tool is publicly available on GitHub, raising concerns about potential exploitation by threat actors targeting enterprise environments.
Organizations running Windows 11 with various EDR solutions should evaluate their vulnerability to parent folder redirection techniques and implement appropriate bind link monitoring controls.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
