An upgraded release of the EDR-Redir V2 tool has emerged, showcasing a sophisticated approach to circumventing Endpoint Detection and Response (EDR) systems. This innovative version leverages Windows bind link technology in a manner that is both novel and effective.
Researcher TwoSevenOneT has revealed that this iteration specifically targets the parent directories of EDR installations, such as Program Files. By creating redirection loops, it effectively blinds security software while maintaining the integrity of legitimate applications.
In contrast to its predecessor, which relied on direct folder redirections often thwarted by security measures, EDR-Redir V2 introduces a more intricate mechanism. It loops subfolders back to themselves, isolating the EDR’s path for manipulation without triggering alarms.
This tool capitalizes on the bind link feature introduced in Windows 11 24H2, which facilitates filesystem namespace redirection through the bindflt.sys driver, all without requiring kernel privileges. EDR solutions, including antivirus programs, typically secure their subfolders in locations like Program Files or ProgramData to prevent unauthorized alterations. However, these systems cannot entirely restrict writes to parent directories without jeopardizing system functionality.
EDR-Redir V2 operates by querying all subfolders within the targeted parent directory, such as Program Files, and mirroring them in a controlled directory, such as C:TMPTEMPDIR. It then establishes bidirectional bind links between these mirrors and their original counterparts, creating loops that allow normal access for non-EDR software.
Notably, the specific subfolder associated with the EDR, such as Windows Defender’s located in C:ProgramDataMicrosoft, is excluded from the loop and redirected solely to the attacker’s TEMPDIR. This configuration facilitates DLL hijacking or file drops within the redirected space, effectively deceiving the EDR into loading malicious components. Developers often overlook such parent-level redirections, which could potentially impact a broad spectrum of EDR solutions.
EDR-Redir V2 on Windows Defender
In a practical demonstration on Windows 11, TwoSevenOneT executed EDR-Redir V2 against Windows Defender, specifically targeting the directory located at C:ProgramDataMicrosoftWindows Defender. The execution parameters were clearly defined: EDR-Redir.exe C:ProgramDataMicrosoft c:TMPTEMPDIR “C:ProgramDataMicrosoftWindows Defender”.
The console output confirmed the successful creation of bind links, with no errors reported. Following execution, attempts by Defender to access its original files were rerouted through TEMPDIR, effectively rendering it blind to its actual operational files and opening the door for potential evasion tactics.
A visualization of this redirection process illustrated how Defender perceived TEMPDIR as its operational parent. For those interested in further exploration, the GitHub repository for EDR-Redir offers the tool for download and additional testing. A demo video available on YouTube showcases the process in real-time.
This technique underscores the vulnerabilities inherent in EDR systems when it comes to protecting against filesystem manipulations at the parent directory level, effectively rendering folder-specific safeguards inadequate. Attackers could potentially disable EDR services or inject code, operating undetected in user mode with minimal event logging.
While there have been no widespread reports of exploits utilizing this method, its simplicity raises significant concerns for enterprise environments. Security teams should remain vigilant, monitoring bind link usage in critical directories such as Program Files and implementing integrity checks on EDR paths.
EDR vendors may find it necessary to bolster protections for parent folders without compromising usability. TwoSevenOneT continues to share insights and research on X (@TwoSevenOneT) regarding penetration testing. As evasion tools advance, proactive monitoring of kernel filters remains a crucial strategy for maintaining security integrity.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
