Using EDR-Redir To Break EDR Via Bind Link and Cloud Filter

 

I. OVERVIEW

Endpoint Detection and Response (EDR) always provides strong protection for its executable file locations. If an attacker can interfere with these locations, they can prevent the EDR from functioning or inject code into the EDR itself to stay under the radar.

In this article, I will demonstrate the technique of exploiting the Bind Filter driver (bindflt.sys) to redirect folders containing the executable files of EDRs to a location that I completely control. Here, we can block or inject code into the EDR at will. Everything will be executed in user mode without needing kernel privileges through the Bring Your Own Vulnerable Driver (BYOVD) attack. Additionally, I will use the Cloud Filter driver (cldflt.sys) to completely isolate an antivirus.

I will conduct a practical experiment in this article using Windows Defender. I have also tried this technique with two other commercial EDRs, and it was successful with all of them.

Find me on X to get the latest pentest and red team tricks that I've been researching: Two Seven One Three (@TwoSevenOneT) / X

Privacy Screen Protector for iPhone

High Privacy: Keeps your personal, private, and sensitive information hidden from strangers, screen is only visible to persons directly in front of screen.

Get It

II. BODY

1. Introduction To The Bind Link Feature Of Windows

The Windows Bind Link  is part of a newer feature introduced in Windows 11 (starting with version 24H2) that enables filesystem namespace redirection using a virtual path

A bind link allows administrators to map a virtual path on the local system to a backing path, either local or remote, without physically copying files. This is handled by the Bind Filter driver (bindflt.sys).

• Virtual Path Mapping: Redirects file system access from a virtual path to a real path.
• Transparent to Applications: Apps don’t need to be aware of the redirection; they operate as if files are local.
• Security Inheritance: Permissions and security descriptors from the backing path are extended to the virtual path.
• No Physical Files Created: The virtual path doesn’t create actual files or folders, just a logical mapping.

2. Redirecting the EDR executable folder with EDR-Redir

As mentioned above, you can simply understand that bind link functions similarly to a symbolic link for folders. The difference is that it operates at the minifilter driver level.

Current EDRs are also very vigilant against the symbolic link redirect attack technique. They check files thoroughly before opening or do not follow symlinks. Additionally, they use RedirectionGuard  to mitigate unsafe junctions and symlink traversal. It blocks privileged services from following symlinks unless explicitly allowed.

The most important thing is that you will not be able to write files into the folders containing the executable files of the EDR, unless you have kernel privileges or exploit the EDR software to execute code within its processes.

But what if we can move the executable folder of the EDR to another location, as I have done with Windows Defender ?

The challenge here is that when the EDR is active, we have limited options with its executable folders. Even when the EDR service processes are not running, these folders remain protected by the EDR's minifilter.

But everything changes when the bind link comes into play.

2.1 Introduction to the EDR-Redir tool

EDR-Redir is a simple tool that creates a virtual path pointing to a real path. You can download it at the following link:

https://github.com/TwoSevenOneT/EDR-Redir

It has very simple running parameters.

I will try to create a simple bind link with the following command.

EDR-Redir.exe bind c:\TMP\123 c:\TMP\456

At this point, EDR-Redir.exe will create a virtual path C:\TMP\123 pointing to C:\TMP\456. When you interact with "123", all file operations will occur in "456" without any user mode redirect activity.

When EDR-Redir creates the bind link, all operations with the folders at this point are only "OPEN" and "READ". And we, with Administrator privileges, inherently have these permissions with the executable folders of the EDR.

So, what if I turn the EDR folder into a bind link pointing to another folder? This is impossible with a symbolic link, but with minifilter bindflt.sys, could it succeed?

2.2 Experimenting EDR-Redir with Windows Defender

With these results, it seems like we've hit a dead end, right?

Don't worry, I have a Plan B just for this stubborn guy. Let's keep experimenting by creating a bind link with Elastic Defend and Sophos Intercept X to see what happens.

2.3 EDR-Redir vs Elastic Defend

EDR-Redir has successfully redirected the executable folder of Elastic Defend to a path that I completely control (C:\TMP\123).

2.4 EDR-Redir vs Sophos Intercept X

Once the bind link is successfully created, Sophos Intercept X will now use the folder "C:\TMP\123" as its working directory.

With the folder completely under our control, we can drop any DLL files to attempt a hijack, or place an executable file for the EDR to run for us. Alternatively, we can simply leave the folder empty to prevent the EDR from operating in the next boot session.

It's important to note that the bind link will not persist after a Windows reboot. Therefore, if you want to maintain these bind links, you need to create a task or service  that runs at Windows startup to recreate the bind link.

2.5 Windows Defender and Cloud Files API

The Windows Cloud Filter API , also known as Cloud Files API (CFAPI), is a powerful Win32 interface that enables developers to create sync engines and cloud storage solutions that integrate seamlessly with the Windows file system.

cldflt.sys is the Cloud Files Mini Filter Driver that powers the on-demand file access feature in Windows, used by services like OneDrive to show placeholder files that download only when opened. It works in tandem with the Cloud Filter API (cfapi.h) to manage hydration (downloading) and dehydration (removing local copies) of files.

The CFAPI provides a function called CfRegisterSyncRoot that allows users to register a sync root with the system.

CfRegisterSyncRoot requires a CF_SYNC_POLICIES field to successfully register a sync root folder.

If I register a sync root folder with a nearly empty policy, without any parameters, what will happen to the newly registered folder?

Sometimes, code errors can have their silver linings, at least in this case.

So, what if I perform an incomplete registration of the sync root with the active folder of Windows Defender? Let's conduct an experiment right away.

As you can see in the image above, EDR-Redir has successfully registered a sync root with the Windows Defender folder. At this point, Defender will no longer be able to access its folder. If you restart Windows, Defender's services will also be unable to run.

The sync root folder will persist after a Windows reboot, so we don't need to create a task or service to reactivate it.

3. Demo Video

YouTube: https://youtu.be/2_tanx7RSUw

III. ENDING

By controlling the folder containing the EDR activities, an attacker can execute various actions on the victim's EDR system to remain undetected: dropping DLL files for hijacking, placing executable files to trigger the EDR on their behalf, or simply blocking and disabling the processes and services of the EDR.

EDR-Redir uses a Bind Filter (mini filter bindflt.sys) and the Windows Cloud Filter API (cldflt.sys) to redirect the EDR's working folder to a folder of the attacker's choice. Alternatively, it can make the folder appear corrupt to prevent the EDR's process services from functioning.

The EDR-Redir technique occurs entirely at the minifilter driver level, so there will be limited events to monitor at the user mode. Defense against this technique primarily comes from EDRs enhancing their protection for their folders.

IV. READING

Some books you should read to sharpen your cybersecurity skills, especially in offensive security:

Books on Programming and Cybersecurity recommended by Zero Salarium Researchers

Author of the article: Two Seven One Three