EDR-Redir V2 introduces a new method of evading Windows Defender on Windows 11 by leveraging fake program files and redirection loops.
Mechanism Exploited
The tool exploits Windows bind link technology to manipulate EDR systems. It targets parent directories of EDR installations, such as Program Files, creating redirection loops via subfolder mirroring. This method avoids disruptions to legitimate applications.
Earlier EDR-Redir versions had limitations due to protective blocking of direct folder redirections. Version 2 overcomes this by looping subfolders while isolating specific EDR paths for manipulation without needing kernel privileges.
Demonstration Details
Researcher TwoSevenOneT demonstrated EDR-Redir V2 on Windows 11, targeting Windows Defender’s subfolder at C:\ProgramData\Microsoft\Windows Defender. By executing the tool with specific parameters, the researcher confirmed successful operation via console results.
The technique reroutes Defender's access attempts through the TEMPDIR, effectively hiding original files and enabling potential malicious code loading. An accompanying video and tool are shared on GitHub and YouTube for public insight.
Security Implications
This approach reveals vulnerabilities in EDR systems' folder-specific safeguards, suggesting room for improvement. The technique’s simplicity poses a risk to enterprise environments if unaddressed. To counteract, defenders should monitor bind link usage and strengthen integrity checks on EDR paths. EDR vendors might need to enhance their protections without compromising application usability.
Research updates by TwoSevenOneT are available on X, providing insights for pentesting applications.
