{"id":8127,"date":"2025-11-02T10:03:28","date_gmt":"2025-11-02T10:03:28","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2025\/11\/02\/new-edr-redir-v2-blinds-windows-defender-on-windows-11-with-fake-program-files\/"},"modified":"2025-11-02T10:03:28","modified_gmt":"2025-11-02T10:03:28","slug":"new-edr-redir-v2-blinds-windows-defender-on-windows-11-with-fake-program-files","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2025\/11\/02\/new-edr-redir-v2-blinds-windows-defender-on-windows-11-with-fake-program-files\/","title":{"rendered":"New EDR-Redir V2 Blinds Windows Defender on Windows 11 With Fake Program Files"},"content":{"rendered":"

New EDR-Redir V2 Blinds Windows Defender on Windows 11 With Fake Program Files
\n \t

\n
<\/BR>
\n
\n \t

\n
<\/BR><\/p>\n

\n

An upgraded release of tool EDR-Redir V2, designed to evade Endpoint Detection and Response (EDR) systems by exploiting Windows bind link technology in a novel way.<\/p>\n

According to the researcher TwoSevenOneT, the version targets the parent directories of EDR installations, such as Program Files, to create redirection loops that blind security software without disrupting legitimate applications.<\/p>\n

Previously, EDR-Redir<\/a> used direct folder redirections, but protections often blocked those attempts; V2 circumvents this by looping subfolders back to themselves while isolating the EDR\u2019s path for manipulation.\u200b<\/p>\n

The tool builds on Windows\u2019 bind link feature, introduced in Windows 11 24H2<\/a>, which allows filesystem namespace redirection via the bindflt.sys driver without kernel privileges.<\/p>\n

EDR solutions like antivirus programs typically lock down their subfolders in locations such as Program Files or ProgramData to prevent tampering, but they cannot fully restrict writes to parent directories without breaking system installations.<\/p>\n

EDR-Redir V2 queries all subfolders in the target parent, like Program Files, and mirrors them in a controlled directory, such as C:TMPTEMPDIR. It then establishes bidirectional bind links between these mirrors and originals, forming loops that maintain normal access for non-EDR software.<\/p>\n

The EDR\u2019s specific subfolder, such as Windows Defender\u2019s in C:ProgramDataMicrosoft, is excluded from the loop and redirected solely to the attacker\u2019s TEMPDIR.<\/p>\n

This setup enables DLL hijacking<\/a> or file drops in the redirected space, tricking the EDR into loading malicious components. Developers often overlook such parent-level redirections, potentially affecting a wide range of EDRs.\u200b<\/p>\n

EDR-Redir V2 on Windows Defender<\/strong><\/h2>\n

In a demonstration on Windows 11, TwoSevenOneT applied EDR-Redir V2 against Windows Defender<\/a>, located in C:ProgramDataMicrosoftWindows Defender.<\/p>\n

The tool was executed with parameters specifying the target folder, redirection destination, and exception path: EDR-Redir.exe C:ProgramDataMicrosoft c:TMPTEMPDIR \u201cC:ProgramDataMicrosoftWindows Defender\u201d.<\/p>\n

\"\"<\/figure>\n

Console output detailed the bind link creations, confirming success without errors. Post-execution, Defender\u2019s access attempts looped through TEMPDIR, effectively blinding it to its original files and allowing potential evasion tactics.<\/p>\n

A visualization showed the redirection in action, with Defender viewing TEMPDIR as its operational parent. The GitHub repository for EDR-Redir provides the tool for download and further testing. A demo video on YouTube illustrates the process in real-time.\u200b<\/p>\n

\n
\n