A new tool called EDR-Redir has emerged, allowing attackers to redirect or isolate the executable folders of popular Endpoint Detection and Response (EDR) solutions.
Demonstrated by cybersecurity researcher TwoSevenOneT, the technique leverages Windows’ Bind Filter driver (bindflt.sys) and Cloud Filter driver (cldflt.sys) to undermine EDR protections without requiring kernel-level access.
This user-mode exploit, rooted in the Bring Your Own Vulnerable Driver (BYOVD) approach, could enable attackers to disable defenses, inject malicious code, or hijack processes, leaving systems vulnerable to undetected intrusions.
The vulnerability stems from Windows 11’s Bind Link feature, introduced in version 24H2. Bind Links provide filesystem namespace redirection via virtual paths, managed by the bindflt.sys minifilter driver.
Unlike traditional symbolic links, which EDRs actively monitor and block using mechanisms like Microsoft’s RedirectionGuard, Bind Links operate transparently at the driver level.
They map virtual paths to real ones, local or remote, without creating physical files, inheriting permissions from the target while remaining invisible to most applications.
This subtlety allows attackers with administrator privileges to perform read and open operations on protected EDR folders, which are typically locked against writes.
EDR-Redir, available as an open-source tool on GitHub, simplifies the process with straightforward commands. For instance, running “EDR-Redir.exe bind C:\TMP\123 C:\TMP\456” creates a virtual path at C:\TMP\123 that redirects all interactions to C:\TMP\456.
The researcher tested this against multiple EDRs. With Elastic Defend and Sophos Intercept X, the tool successfully redirected their executable folders to attacker-controlled locations.
Once redirected, adversaries could drop DLLs for process hijacking, insert malicious executables, or empty the folder to halt EDR operations on reboot. Notably, these Bind Links do not persist across restarts, requiring a scheduled task or service for automation.
Bypassing Windows Defender with Cloud Filter Tricks
Windows Defender proved more resilient to direct Bind Link redirection, likely due to its integrated protections. However, the researcher devised a workaround using the Cloud Files API (CFAPI), powered by cldflt.sys.
This API, designed for sync engines like OneDrive, enables on-demand file access through placeholder files. By invoking CfRegisterSyncRoot with minimal policies essentially an incomplete registration EDR-Redir registers the Defender folder as a “sync root.”
This corrupts access, preventing the EDR from reading or writing to its directory. Post-reboot, Defender’s services fail to start, effectively isolating it.
Unlike Bind Links, this Cloud Filter method persists without additional setup, making it particularly stealthy. A demo video shared by the researcher illustrates the process, showing Defender’s folder becoming inaccessible after registration.
Tests confirmed similar efficacy against two unnamed commercial EDRs, highlighting a broad risk.
This technique underscores a growing challenge: EDRs must evolve beyond user-mode symlink defenses to scrutinize minifilter interactions. Attackers gain full control over EDR behaviors, potentially evading detection in red-team exercises or real breaches.
Organizations should audit administrator privileges, monitor for unusual driver loads, and apply Windows patches promptly. Vendors like Microsoft, Elastic, and Sophos are urged to enhance folder protections against these API abuses.
As endpoint threats intensify, tools like EDR-Redir remind us that even robust defenses can falter on overlooked filesystem features.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
