bind links

An upgraded release of the EDR-Redir V2 tool has been developed to circumvent Endpoint Detection and Response (EDR) systems by using Windows bind link technology. This version targets the parent directories of EDR installations, such as Program Files, and creates redirection loops that blind security software while keeping legitimate applications intact. Unlike its predecessor, EDR-Redir V2 uses a more complex mechanism that loops subfolders back to themselves, isolating the EDR's path for manipulation without triggering alarms. The tool utilizes the bind link feature from Windows 11 24H2, allowing filesystem namespace redirection without needing kernel privileges. EDR solutions typically secure their subfolders but cannot entirely restrict writes to parent directories. EDR-Redir V2 queries all subfolders in a targeted parent directory and mirrors them in a controlled directory, establishing bidirectional bind links that create loops for normal access by non-EDR software. In a demonstration against Windows Defender, EDR-Redir V2 successfully redirected access to its operational files, making Defender blind to its actual files. This technique highlights vulnerabilities in EDR systems regarding filesystem manipulations at the parent directory level, suggesting that folder-specific safeguards are inadequate. Although there are no widespread reports of exploits using this method, it poses significant concerns for enterprise environments, prompting security teams to monitor bind link usage in critical directories and implement integrity checks on EDR paths.