An upgraded release of tool EDR-Redir V2, designed to evade Endpoint Detection and Response (EDR) systems by exploiting Windows bind link technology in a novel way.
According to the researcher TwoSevenOneT, the version targets the parent directories of EDR installations, such as Program Files, to create redirection loops that blind security software without disrupting legitimate applications.
Previously, EDR-Redir used direct folder redirections, but protections often blocked those attempts; V2 circumvents this by looping subfolders back to themselves while isolating the EDR’s path for manipulation.
The tool builds on Windows’ bind link feature, introduced in Windows 11 24H2, which allows filesystem namespace redirection via the bindflt.sys driver without kernel privileges.
EDR solutions like antivirus programs typically lock down their subfolders in locations such as Program Files or ProgramData to prevent tampering, but they cannot fully restrict writes to parent directories without breaking system installations.
EDR-Redir V2 queries all subfolders in the target parent, like Program Files, and mirrors them in a controlled directory, such as C:TMPTEMPDIR. It then establishes bidirectional bind links between these mirrors and originals, forming loops that maintain normal access for non-EDR software.
The EDR’s specific subfolder, such as Windows Defender’s in C:ProgramDataMicrosoft, is excluded from the loop and redirected solely to the attacker’s TEMPDIR.
This setup enables DLL hijacking or file drops in the redirected space, tricking the EDR into loading malicious components. Developers often overlook such parent-level redirections, potentially affecting a wide range of EDRs.
EDR-Redir V2 on Windows Defender
In a demonstration on Windows 11, TwoSevenOneT applied EDR-Redir V2 against Windows Defender, located in C:ProgramDataMicrosoftWindows Defender.
The tool was executed with parameters specifying the target folder, redirection destination, and exception path: EDR-Redir.exe C:ProgramDataMicrosoft c:TMPTEMPDIR “C:ProgramDataMicrosoftWindows Defender”.
.webp "New EDR-Redir V2 Blinds Windows Defender on Windows 11 With Fake Program Files 3")
Console output detailed the bind link creations, confirming success without errors. Post-execution, Defender’s access attempts looped through TEMPDIR, effectively blinding it to its original files and allowing potential evasion tactics.
A visualization showed the redirection in action, with Defender viewing TEMPDIR as its operational parent. The GitHub repository for EDR-Redir provides the tool for download and further testing. A demo video on YouTube illustrates the process in real-time.
This technique highlights vulnerabilities in how EDRs protect against filesystem manipulations at the parent level, rendering folder-specific safeguards ineffective. Attackers could disable EDR services or inject code, operating undetected in user mode with minimal events.
While no widespread exploits are reported yet, the method’s simplicity raises concerns for enterprise environments. Defenders should monitor bind link usage in critical directories like Program Files and implement integrity checks on EDR paths.
EDR vendors may need to enhance protections for parent folders without impeding usability. TwoSevenOneT shares ongoing research on X (@TwoSevenOneT) for pentesting insights. As evasion tools evolve, proactive monitoring of kernel filters remains essential.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
