Blind EDR With Fake Program Files

   March 8, 2026  Posted in zerosalarium
Share: XFacebookPinterestRedditVKDiggLinkedinMix


 

I. INTRODUCTION

In previous articles, I demonstrated using Windows’ bind link feature to block
or redirect Antivirus/EDR from accessing their executable folder. You can
review this article via the link:

Using EDR-Redir To Break EDR Via Bind Link and Cloud Filter 

However, some EDRs provide good protection for their operating folders,
resulting in failed bind link creation.

This time, I will upgrade EDR-Redir to version V2. Of course, I will
still use bind link technology, but in a completely different way.

I will experiment with EDR-Redir V2 using Windows Defender on Windows 11. With
this new approach, I’m quite confident it will work with many Antivirus/EDR
solutions.

Find me on X to get the latest pentest and red team tricks that I’ve been
researching: Two Seven One Three (@TwoSevenOneT) / X

II. MAIN SECTION

1. The Idea Behind Working With EDR-Redir V2

When software is installed on Windows, it typically resides in a subfolder,
such as Program Files, Program Files (x86), ProgramData,
and so on.

Antivirus and EDR software are no exception; most of them are located in
either Program Files or Program Files (x86). Windows Defender,
however, is found in ProgramData.

Antivirus and EDRs, in order to protect their operating folders, typically
prevent writing files there. However,
they cannot stop file writing to their parent folder. For example, if
they block writing to the Program Files folder, they inadvertently
prevent other software from being installed on the machine, which can cause
significant inconvenience for users.

So why not think outside the box? Instead of creating a bind link to
the EDR’s folder, we could
create a bind link to the Program Files folder, for example.

When dealing with the Program Files folder, we encounter the issue of ensuring
that other software, aside from the EDR, functions normally.
The idea here is to create bind links so that a folder points back to
itself.

EDR-Redir V2 bind link point to itself

The steps to implement this idea are as follows (I will provide an example
using the Program Files folder):

  1. Query all the folders within the Program Files folder.
  2. Create corresponding folders in a location you fully control
    (C:TMPTEMPDIR).
  3. Create bind links from the folders in Program Files that point to their
    corresponding folders in C:TMPTEMPDIR.
  4. Continue creating bind links from C:TMPTEMPDIR that point to the
    corresponding folders in Program Files. This will create a loop, causing
    access to the folders in Program Files to circle back to themselves. Most
    importantly, we will not create a bind link for the EDR’s folder at this
    stage.
  5. Create a bind link from Program Files to C:TMPTEMPDIR to force the
    redirection of the EDR’s folder through TEMPDIR.
  6. At this point, you can perform DLL hijacking by dropping executable files
    that the EDR usually interacts with into TEMPDIR, allowing you to
    leverage them to activate in place of the EDR.

Once these steps are successfully completed, we may be able to effectively
redirect even the most stubborn types of EDRs.

2. Experimenting With EDR-Redir V2 Using Windows Defender

First, you can download EDR-Redir via the link below.

https://github.com/TwoSevenOneT/EDR-Redir

Windows Defender on
Windows 11 is located at C:ProgramDataMicrosoft. Therefore, I will
target this folder for the attack.

I will run EDR-Redir with the following parameters:


EDR-Redir.exe C:ProgramDataMicrosoft c:TMPTEMPDIR
"C:ProgramDataMicrosoftWindows Defender"

C:ProgramDataMicrosoft is the folder I need to redirect elsewhere.

C:TMPTEMPDIR is the target folder.

C:ProgramDataMicrosoftWindows Defender is the exception folder; it
will not have a link loop created to block
Defender.

EDR-Redir V2 run successfully with Windows Defender

During execution, EDR-Redir will print to the console information about which
bind links will be created for easier monitoring. As shown in the results, I
successfully redirected Windows Defender to C:TMPTEMPDIR.

EDR-Redir V2 successfully redirect Windows Defender to other location

At this point, Windows Defender will always see the folder
C:TMPTEMPDIR as the parent folder of its operating folder.

3. Demo Video

III. INFERENCE

Antivirus/EDR can only protect their operating folders; they cannot intervene
in the parent folders of these directories. Once the parent folder is
successfully attacked, the protection of the operating folders by the EDR
becomes meaningless.

When programming, many developers may not consider the possibility of a folder
like Program Files being redirected. Therefore, I suspect that the list of
EDRs affected by this technique will be quite extensive.

The defensive approach
is to monitor the use of bind links with folders like Program Files to ensure
they aren’t tampered with by the hands of attackers.

IV. READING

Some books you should read to sharpen your cybersecurity skills, especially
in offensive security:

Books on Programming and Cybersecurity recommended by Zero Salarium
Researchers

Essential hardware tools that every security researcher and hacker should
have in their toolkit:

Hardware Tools For Security Researcher and Hacker

Author of the article: Two Seven One Three



Source link