Cybersecurity: EDR-Redir Tool Overview

A newly developed tool, EDR-Redir, has been introduced, enabling attackers to redirect or isolate the executable folders of common Endpoint Detection and Response (EDR) solutions.

Cybersecurity researcher TwoSevenOneT demonstrated this technique, which exploits Windows’ Bind Filter driver (bindflt.sys) and Cloud Filter driver (cldflt.sys) to bypass EDR protections without requiring kernel-level access.

Technical Details

The exploit operates in user mode and utilizes the Bring Your Own Vulnerable Driver (BYOVD) technique. This approach allows attackers to potentially disable defenses, inject malicious code, or hijack processes, rendering systems susceptible to unauthorized access.

The vulnerability originates from the Bind Link feature in Windows 11, introduced in version 24H2. Bind Links offer filesystem namespace redirection using virtual paths managed by the bindflt.sys minifilter driver.

Unlike traditional symbolic links, Bind Links function transparently at the driver level, mapping virtual paths to actual ones without creating physical files. This feature inherits permissions from the target path while remaining invisible to most applications.

Operational Implications

Attackers with administrator privileges can exploit this tool to perform read and open operations on protected EDR folders, which are typically secured against write operations.

EDR-Redir is available as an open-source tool on GitHub and simplifies the process with straightforward commands. An example command, “EDR-Redir.exe bind C:\TMP\123 C:\TMP\456,” creates a virtual path at C:\TMP\123 that redirects all interactions to C:\TMP\456.

Testing against various EDRs, including Elastic Defend and Sophos Intercept X, revealed that the tool could redirect their executable folders to attacker-controlled locations.

Once redirected, adversaries might drop DLLs for process hijacking, introduce malicious executables, or empty the folder to disrupt EDR operations upon reboot. Notably, these Bind Links do not persist across restarts, necessitating a scheduled task or service for automation.

Bypassing Windows Defender with Cloud Filter Techniques

Windows Defender has shown resilience to direct Bind Link redirection, likely due to its integrated protections. However, a workaround using the Cloud Files API (CFAPI), powered by cldflt.sys, was developed.

This API, designed for sync engines like OneDrive, enables on-demand file access through placeholder files. By invoking CfRegisterSyncRoot with minimal policies, EDR-Redir registers the Defender folder as a “sync root,” thereby corrupting access and preventing the EDR from reading or writing to its directory. Post-reboot, Defender’s services fail to start, effectively isolating it.

This Cloud Filter method persists without additional setup, making it particularly stealthy. Tests confirmed similar efficacy against other commercial EDRs, highlighting a broad risk.

Recommendations

This technique underscores the need for EDRs to evolve beyond user-mode symlink defenses to scrutinize minifilter interactions. Organizations are advised to audit administrator privileges, monitor for unusual driver loads, and apply Windows patches promptly. Vendors, including Microsoft, Elastic, and Sophos, are encouraged to enhance folder protections against these API abuses.

As endpoint threats increase, tools like EDR-Redir serve as a reminder that even strong defenses can be compromised by overlooked filesystem features.