An upgraded launch of software EDR-Redir V2, designed to evade Endpoint Detection and Response (EDR) techniques by exploiting Home windows bind hyperlink expertise in a novel approach.
In keeping with the researcher TwoSevenOneT, the model targets the father or mother directories of EDR installations, akin to Program Information, to create redirection loops that blind safety software program with out disrupting authentic functions.
Beforehand, EDR-Redir used direct folder redirections, however protections typically blocked these makes an attempt; V2 circumvents this by looping subfolders again to themselves whereas isolating the EDR’s path for manipulation.
The software builds on Home windows’ bind hyperlink function, launched in Home windows 11 24H2, which permits filesystem namespace redirection by way of the bindflt.sys driver with out kernel privileges.
EDR options like antivirus packages usually lock down their subfolders in places akin to Program Information or ProgramData to stop tampering, however they can’t absolutely prohibit writes to father or mother directories with out breaking system installations.
EDR-Redir V2 queries all subfolders within the goal father or mother, like Program Information, and mirrors them in a managed listing, akin to C:TMPTEMPDIR. It then establishes bidirectional bind hyperlinks between these mirrors and originals, forming loops that preserve regular entry for non-EDR software program.
The EDR’s particular subfolder, akin to Home windows Defender’s in C:ProgramDataMicrosoft, is excluded from the loop and redirected solely to the attacker’s TEMPDIR.
This setup permits DLL hijacking or file drops within the redirected area, tricking the EDR into loading malicious parts. Builders typically overlook such parent-level redirections, probably affecting a variety of EDRs.
EDR-Redir V2 on Home windows Defender
In an illustration on Home windows 11, TwoSevenOneT utilized EDR-Redir V2 in opposition to Home windows Defender, positioned in C:ProgramDataMicrosoftWindows Defender.
The software was executed with parameters specifying the goal folder, redirection vacation spot, and exception path: EDR-Redir.exe C:ProgramDataMicrosoft c:TMPTEMPDIR “C:ProgramDataMicrosoftWindows Defender”.
Console output detailed the bind hyperlink creations, confirming success with out errors. Submit-execution, Defender’s entry makes an attempt looped via TEMPDIR, successfully blinding it to its authentic information and permitting potential evasion techniques.
A visualization confirmed the redirection in motion, with Defender viewing TEMPDIR as its operational father or mother. The GitHub repository for EDR-Redir supplies the software for obtain and additional testing. A demo video on YouTube illustrates the method in real-time.
This system highlights vulnerabilities in how EDRs shield in opposition to filesystem manipulations on the father or mother stage, rendering folder-specific safeguards ineffective. Attackers may disable EDR providers or inject code, working undetected in consumer mode with minimal occasions.
Whereas no widespread exploits are reported but, the tactic’s simplicity raises considerations for enterprise environments. Defenders ought to monitor bind hyperlink utilization in crucial directories like Program Information and implement integrity checks on EDR paths.
EDR distributors might have to boost protections for father or mother folders with out impeding usability. TwoSevenOneT shares ongoing analysis on X (@TwoSevenOneT) for pentesting insights. As evasion instruments evolve, proactive monitoring of kernel filters stays important.
Comply with us on Google Information, LinkedIn, and X for every day cybersecurity updates. Contact us to function your tales.
