A new tool called EDR-Redir has emerged, allowing attackers to redirect or isolate the executable folders of popular Endpoint Detection and Response (EDR) solutions.<\/p>\n
Demonstrated by cybersecurity researcher TwoSevenOneT, the technique leverages Windows\u2019 Bind Filter driver (bindflt.sys) and Cloud Filter driver (cldflt.sys) to undermine EDR protections without requiring kernel-level access.<\/p>\n
This user-mode exploit, rooted in the Bring Your Own Vulnerable Driver (BYOVD<\/a>) approach, could enable attackers to disable defenses, inject malicious code, or hijack processes, leaving systems vulnerable to undetected intrusions.<\/p>\n The vulnerability stems from Windows 11\u2019s Bind Link feature, introduced in version 24H2<\/a>. Bind Links provide filesystem namespace redirection via virtual paths, managed by the bindflt.sys minifilter driver.<\/p>\n Unlike traditional symbolic links, which EDRs actively monitor and block using mechanisms like Microsoft\u2019s RedirectionGuard, Bind Links operate transparently at the driver level.<\/p>\n They map virtual paths to real ones, local or remote, without creating physical files, inheriting permissions from the target while remaining invisible to most applications.<\/p>\n This subtlety allows attackers with administrator privileges to perform read and open operations on protected EDR folders, which are typically locked against writes.<\/p>\n EDR-Redir, available as an open-source tool on GitHub<\/a>, simplifies the process with straightforward commands. For instance, running \u201cEDR-Redir.exe bind C:TMP123 C:TMP456\u201d creates a virtual path at C:TMP123 that redirects all interactions to C:TMP456.<\/p>\n The researcher tested<\/a> this against multiple EDRs. With Elastic Defend and Sophos Intercept X, the tool successfully redirected their executable folders to attacker-controlled locations.<\/p>\n Once redirected, adversaries could drop DLLs for process hijacking, insert malicious executables, or empty the folder to halt EDR operations on reboot. Notably, these Bind Links do not persist across restarts, requiring a scheduled task or service for automation.<\/p>\n Windows Defender proved more resilient to direct Bind Link redirection, likely due to its integrated protections. However, the researcher devised a workaround using the Cloud Files API (CFAPI), powered by cldflt.sys.<\/p>\n This API, designed for sync engines like OneDrive<\/a>, enables on-demand file access through placeholder files. By invoking CfRegisterSyncRoot with minimal policies essentially an incomplete registration EDR-Redir registers the Defender folder as a \u201csync root.\u201d<\/p>\n This corrupts access, preventing the EDR from reading or writing to its directory. Post-reboot, Defender\u2019s services fail to start, effectively isolating it.<\/p>\n Unlike Bind Links, this Cloud Filter method persists without additional setup, making it particularly stealthy. A demo video shared by the researcher illustrates the process, showing Defender\u2019s folder becoming inaccessible after registration.<\/p>\n Tests confirmed similar efficacy against two unnamed commercial EDRs<\/a>, highlighting a broad risk.<\/p>\n![\"Sophos](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhrh4P7YPayHK_KeJFU2Ti8rwPWsOqOfF1le133CLkQnw2Q2TuaQ58xll496AtOVXUSCNmVuZSyQ_14xHp62l9EhUwQraz56XCi83KwMiI8xQK6E6Y-iiwuLjfIRjqR1LPly2FZPpJF2bEDbvwqGhcsodEd-3Wois7CFsvYS7gBsb9SrZflqaXvImkgHm__\/s16000\/Sophos%2520inter.webp?ssl=1\")
![\"Elastic](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEi4SphRR5Ld7eLoDmoPVFS__NSRU9pjYLgg-AzDw1adeVGgYkhfd3EumfMNGNQMXUYzOCo0Ru2PTjyVtdTzI2cErtgcLXsEM9EvydOrtjwbBKJtodL0JNjpJgk6FIRIqln5CN_-AxJtJ1Q6qpEN4EDS3-tgE1U476bNZ7m13Wk3jshh0AoxOFKBAQKMQv7k\/s16000\/Elastic%2520EDR.webp?ssl=1\")
Bypassing Windows Defender with Cloud Filter Tricks<\/strong><\/h2>\n
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEijSgVWw66jO0zHh2LBINECKgBo2NLOjTG9ZgZNprJC1YLPPoPbNDbMp5qLDwVVdjsMWxluHrQyu1uPVH4oB26JfRjz77iU3F9UPmLY17ApsTFsE7qlDkjZW6vuANgqIHsjml_X9jyTCKC5G8tRLGvuDeG0_Ej8kFI4_joMZrqEuJk4znsqIDdkG5sFe7QM\/s16000\/Corrupted%2520sync%2520root%2520folder%2520with%2520EDR-Redir.webp?ssl=1\")