Cybersecurity researchers have developed a sophisticated new tool called EDR-Redir that can bypass Endpoint Detection and Response (EDR) systems by exploiting Windows’ Bind Filter and Cloud Filter drivers.
This technique represents a significant advancement in evasion methods that operate entirely in user mode without requiring kernel privileges.
The Windows Bind Link feature, introduced in Windows 11 version 24H2, enables filesystem namespace redirection using virtual paths.
This functionality allows administrators to map virtual paths on local systems to backing paths without physically copying files. The Bind Filter driver (bindflt.sys) handles this redirection transparently to applications.
The bind link system offers virtual path mapping that redirects file system access, transparent operation without requiring application awareness, security inheritance from backing paths, and logical mapping without creating physical files.
How EDR-Redir Exploits System Vulnerabilities
Traditional EDR systems maintain strong protection around their executable file locations to prevent tampering.
However, EDR-Redir leverages the bind link functionality to redirect folders containing EDR executable files to attacker-controlled locations. This approach circumvents existing protections that EDRs use against symbolic link redirect attacks.
The tool operates by creating virtual paths pointing to real paths under attacker control. When EDR-Redir creates these bind links, operations are limited to “OPEN” and “READ” functions, which administrators inherently possess for EDR executable folders.
This technique bypasses Redirection Guard protections that typically block privileged services from following sym links.
Security researchers conducted experiments using EDR-Redir against multiple commercial EDR solutions with varying success.
Windows Defender proved resistant to the basic bind link approach, prompting researchers to develop an alternative method using the Cloud Filter API.
Testing against Elastic Defend demonstrated successful redirection of the EDR’s executable folder to an attacker-controlled path.
Similarly, experiments with Sophos Intercept X showed successful folder redirection, allowing complete control over the EDR’s working directory.
For resistant systems like Windows Defender, researchers employed the Windows Cloud Filter API (CFAPI) through the cldflt.sys driver.
This approach involves registering a sync root folder with minimal policies, effectively corrupting the target folder and preventing EDR access to essential files.
The Cloud Filter method proves particularly effective because sync root folders persist after system reboots, eliminating the need for persistence mechanisms that traditional bind links require.
Once attackers gain control over EDR folders, they can execute various malicious activities including DLL hijacking, placing executable files for EDR execution, or completely disabling EDR processes and services.
The technique operates at the minifilter driver level, generating limited user-mode events for monitoring.
Defense against EDR-Redir primarily requires EDR vendors to enhance protection mechanisms for their installation folders and implement monitoring.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
