EDR-Redir V2: A New Tool That Blinds Windows Defender on Windows 11 Using Fake Program Files
A significant advancement in cybersecurity evasion techniques has emerged with the release of EDR-Redir V2, a tool designed to circumvent Endpoint Detection and Response (EDR) systems by exploiting Windows’ bind link technology in an innovative manner. Developed by the researcher known as TwoSevenOneT, this updated version specifically targets the parent directories of EDR installations, such as ‘Program Files’, to create redirection loops that effectively blind security software without disrupting legitimate applications.
Evolution from Direct Redirection to Looping Techniques
The original EDR-Redir tool employed direct folder redirections to evade detection. However, these methods were often thwarted by existing security protections. In contrast, EDR-Redir V2 introduces a more sophisticated approach by looping subfolders back to themselves while isolating the EDR’s path for manipulation. This technique leverages Windows’ bind link feature, introduced in Windows 11 24H2, which allows filesystem namespace redirection via the ‘bindflt.sys’ driver without requiring kernel privileges.
Mechanism of EDR-Redir V2
EDR solutions, including antivirus programs, typically secure their subfolders within directories like ‘Program Files’ or ‘ProgramData’ to prevent tampering. However, they cannot fully restrict writes to parent directories without potentially disrupting system installations. EDR-Redir V2 exploits this by querying all subfolders in the target parent directory, such as ‘Program Files’, and mirroring them in a controlled directory, like ‘C:\TMP\TEMPDIR’. It then establishes bidirectional bind links between these mirrors and the originals, forming loops that maintain normal access for non-EDR software.
The EDR’s specific subfolder, such as Windows Defender’s located in ‘C:\ProgramData\Microsoft\Windows Defender’, is excluded from this loop and redirected solely to the attacker’s ‘TEMPDIR’. This setup enables techniques like DLL hijacking or file drops in the redirected space, tricking the EDR into loading malicious components. Developers often overlook such parent-level redirections, potentially affecting a wide range of EDRs.
Demonstration on Windows Defender
In a demonstration on Windows 11, TwoSevenOneT applied EDR-Redir V2 against Windows Defender, located in ‘C:\ProgramData\Microsoft\Windows Defender’. The tool was executed with parameters specifying the target folder, redirection destination, and exception path:
`EDR-Redir.exe C:\ProgramData\Microsoft c:\TMP\TEMPDIR C:\ProgramData\Microsoft\Windows Defender`
The console output detailed the bind link creations, confirming success without errors. Post-execution, Defender’s access attempts looped through ‘TEMPDIR’, effectively blinding it to its original files and allowing potential evasion tactics. A visualization showed the redirection in action, with Defender viewing ‘TEMPDIR’ as its operational parent. The GitHub repository for EDR-Redir provides the tool for download and further testing, and a demo video on YouTube illustrates the process in real-time.
Implications for EDR Security
This technique highlights vulnerabilities in how EDRs protect against filesystem manipulations at the parent level, rendering folder-specific safeguards ineffective. Attackers could disable EDR services or inject code, operating undetected in user mode with minimal events. While no widespread exploits have been reported yet, the method’s simplicity raises concerns for enterprise environments. Defenders should monitor bind link usage in critical directories like ‘Program Files’ and implement integrity checks on EDR paths.
EDR vendors may need to enhance protections for parent folders without impeding usability. TwoSevenOneT shares ongoing research on X (@TwoSevenOneT) for pentesting insights. As evasion tools evolve, proactive monitoring of kernel filters remains essential.
