A new version of an offensive security tool, EDR-Redir V2, has been released. It evades Endpoint Detection and Response (EDR) systems, including Windows Defender, by exploiting Windows bind link technology to create redirection loops in parent directories (like ‘Program Files’).
Business Impact
This technique can effectively “blind” an EDR to its own files, allowing an attacker to operate undetected. A blinded EDR gives attackers free rein to execute malware, steal credentials, and exfiltrate data without triggering alerts, rendering a primary defensive control useless.
Why It Happened
The tool exploits a novel attack vector where EDR systems don’t properly check for parent-level redirections. It creates a loop that Defender’s access attempts get caught in, preventing it from accessing its own operational files while not affecting other legitimate applications.
Recommended Executive Action
Direct your SOC and endpoint security teams to review the research from the tool’s creator. They should investigate implementing new detection rules to monitor for suspicious bind link usage in critical system directories and verify with your EDR vendor that they are protected against this technique.
Hashtags: #EDR #WindowsDefender #CyberSecurity #RedTeam #BlueTeam #InfoSec #EndpointSecurity #Malware