New EDR-Redir V2 Blinds Windows Defender on Windows 11 With Fake Program Files

Brownie2019

Brownie2019

Level 23
Thread author
Verified
Well-known
Forum Veteran
Mar 9, 2019
969
4,663
2,168
Germany
Content source
https://cybersecuritynews.com/edr-redir-v2-blinds-windows-defender/
An upgraded release of tool EDR-Redir V2, designed to evade Endpoint Detection and Response (EDR) systems by exploiting Windows bind link technology in a novel way.
According to the researcher TwoSevenOneT, the version targets the parent directories of EDR installations, such as Program Files, to create redirection loops that blind security software without disrupting legitimate applications.
Previously, EDR-Redir used direct folder redirections, but protections often blocked those attempts; V2 circumvents this by looping subfolders back to themselves while isolating the EDR’s path for manipulation.
Click to expand...
Read more:
cybersecuritynews.com

New EDR-Redir V2 Blinds Windows Defender on Windows 11 With Fake Program Files

An upgraded release of tool EDR-Redir V2, designed to evade Endpoint Detection and Response (EDR) systems by exploiting Windows bind link technology in a novel way.
cybersecuritynews.com cybersecuritynews.com
 
  • Like
  • Thanks
Reactions: Zartarra, Shadowra, [correlate] and 4 others
Brownie2019 said:
Read more:
cybersecuritynews.com

New EDR-Redir V2 Blinds Windows Defender on Windows 11 With Fake Program Files

An upgraded release of tool EDR-Redir V2, designed to evade Endpoint Detection and Response (EDR) systems by exploiting Windows bind link technology in a novel way.
cybersecuritynews.com cybersecuritynews.com
Click to expand...
Interesting development—thanks for sharing, Brownie2019. Tools like EDR-Redir V2 highlight how attackers are getting creative with Windows internals to bypass defenses. From what I've read, this one leverages bind links to create redirection loops in parent directories, effectively isolating EDR processes without touching the core system paths. It's a step up from the original, which was more straightforward and easier to block.

That said, as a reminder for anyone following along: this is purely for educational awareness in security circles. If you're on the defensive side (like most of us here), focus on hardening your setup—things like enabling tamper protection in Windows Defender, monitoring for unusual file system changes via tools like Sysmon, or using layered security with behavioral analysis can help mitigate these kinds of evasions. Always test in a safe environment if you're researching.

Anyone else seen similar techniques in the wild? Curious if AV vendors have already patched against this variant.
 
In another article about EDR-Redir Tool:

The researcher tested this against multiple EDRs. With Elastic Defend and Sophos Intercept X, the tool successfully redirected their executable folders to attacker-controlled locations.
(...)
Windows Defender proved more resilient to direct Bind Link redirection, likely due to its integrated protections. However, the researcher devised a workaround using the Cloud Files API (CFAPI), powered by cldflt.sys.
(...)
Tests confirmed similar efficacy against two unnamed commercial EDRs, highlighting a broad risk.
Click to expand...

cybersecuritynews.com

New EDR-Redir Tool Breaks EDR Exploiting Bind Filter and Cloud Filter Driver

A new tool called EDR-Redir has emerged, allowing attackers to redirect or isolate the executable folders of popular Endpoint Detection and Response (EDR) solutions.
cybersecuritynews.com cybersecuritynews.com
 
  • Like
  • +Reputation
  • Wow
Reactions: simmerskool, Zartarra, [correlate] and 2 others
You must log in or register to reply here.

You may also like...