Attackers want quiet ways to cut visibility. EDR-Redir V2 targets Microsoft Defender on Windows 11 by abusing Windows bind links so Defender looks healthy while it loses access to its own working paths. Because the redirection occurs in the minifilter stack, surface-level checks often pass. However, careful validation exposes the misdirection and lets you restore telemetry quickly.
𝐁𝐢𝐧𝐝 𝐋𝐢𝐧𝐤 𝐀𝐛𝐮𝐬𝐞 𝐭𝐨 𝐁𝐥𝐢𝐧𝐝 𝐃𝐞𝐟𝐞𝐧𝐝𝐞𝐫
Windows uses minifilter drivers to shape file I/O. bindflt.sys implements bind links that map one path to another. cldflt.sys supports Cloud Files semantics. EDR-Redir V2 leverages these components to reroute folders under Program Files or ProgramData. Then Defender’s processes try to read and write as usual, yet the filesystem silently points them to a different location or loops resolution so operations fail. Consequently, alerts drop, sensor writes miss, and investigations slow down even though services continue to run.
𝐏𝐫𝐞𝐜𝐨𝐧𝐝𝐢𝐭𝐢𝐨𝐧𝐬 𝐚𝐧𝐝 𝐒𝐜𝐨𝐩𝐞
The operator needs administrative privileges on a Windows 11 host (or a supported Windows 10 build with these filters). Defender for Endpoint runs in the environment, sometimes with Defender Antivirus in active or passive mode. Because the manipulation lives below user-mode, service status can appear normal while EDR files resolve elsewhere.
𝐄𝐱𝐩𝐥𝐨𝐢𝐭𝐚𝐭𝐢𝐨𝐧 𝐅𝐥𝐨𝐰
First, the operator profiles C:\Program Files and C:\ProgramData to understand where security components live. Next, they mirror subfolders to a controlled directory such as C:\TMP\TEMPDIR. Then they create bind links that loop most folders back to themselves to preserve application behavior. Critically, they exclude the EDR’s own directory and redirect only that path to the controlled mirror. Example syntax from public demonstrations resembles: EDR-Redir.exe C:\ProgramData\Microsoft C:\TMP\TEMPDIR “C:\ProgramData\Microsoft\Windows Defender”. After execution, Defender continues to run; however, the working directory reads and writes inside TEMPDIR, which degrades telemetry and corrupts assumptions inside the EDR stack.
𝐀𝐫𝐭𝐢𝐟𝐚𝐜𝐭𝐬 𝐚𝐧𝐝 𝐎𝐩𝐞𝐫𝐚𝐭𝐢𝐨𝐧𝐚𝐥 𝐒𝐢𝐝𝐞 𝐄𝐟𝐟𝐞𝐜𝐭𝐬
Expect bind links under sensitive parents. Watch minifilter altitudes and load-order for irregularities tied to bindflt and cldflt. Some hosts show subtle path-resolution errors without obvious service failures. More importantly, watch for alert volume and event count drops that begin close to the time the links appear. Because the goal is silence, you often see gaps rather than explicit errors.
𝐖𝐡𝐲 𝐏𝐫𝐨𝐠𝐫𝐚𝐦 𝐅𝐢𝐥𝐞𝐬 𝐑𝐞𝐝𝐢𝐫𝐞𝐜𝐭𝐢𝐨𝐧 𝐌𝐚𝐭𝐭𝐞𝐫𝐬
EDR-Redir V2 extends prior folder-targeted tricks by going one level up to the parent folder (for example, Program Files). By looping non-EDR subfolders back to themselves, the environment continues to work for most applications. Meanwhile, a single exception the EDR’s own folder routes to a location the attacker controls. Therefore, the change hides within normal operations while it denies the EDR reliable file access.
𝐃𝐞𝐭𝐞𝐜𝐭𝐢𝐨𝐧 𝐚𝐧𝐝 𝐕𝐚𝐥𝐢𝐝𝐚𝐭𝐢𝐨𝐧
Start with health, then verify the filesystem and filters.
• Enumerate bind links beneath Program Files and ProgramData; compare against a baseline.
• Inspect minifilter altitudes and groups to confirm expected ordering for bindflt and cldflt.
• Check Defender event volume and EDR in block mode behavior; identify sudden gaps that align with link creation.
• Remove suspicious links or restore expected paths; then validate that telemetry returns to prior rates.
Because attackers avoid noise, compare yesterday vs. today per-host event counts and flag sharp drops that match filter changes.
𝐌𝐢𝐭𝐢𝐠𝐚𝐭𝐢𝐨𝐧 𝐚𝐧𝐝 𝐇𝐚𝐫𝐝𝐞𝐧𝐢𝐧𝐠
Treat any bind link that touches security tooling as hostile unless explicitly justified. Enforce tamper protection, reduce local admin abuse through policy, and baseline approved bind links so you can alert on drift. Where feasible, monitor and protect bindflt and cldflt states, including administrative actions that create or modify links. After cleanup, re-enable or confirm EDR in block mode, validate event throughput, and log the configuration so change control doesn’t roll it back.
𝐁𝐮𝐬𝐢𝐧𝐞𝐬𝐬 𝐈𝐦𝐩𝐚𝐜𝐭 𝐚𝐧𝐝 𝐑𝐢𝐬𝐤
When EDR paths misroute, investigations slow and dwell time rises. Telemetry gaps help lateral movement and ransomware staging. Even if you do not see broad exploitation today, the low complexity and quiet footprint make the technique appealing. Therefore, your control objective becomes continuous filter-layer validation, not episodic fixes.
𝐋𝐞𝐬𝐬𝐨𝐧𝐬 𝐋𝐞𝐚𝐫𝐧𝐞𝐝
Bake a standing control into endpoint management that inventories bind links and minifilter state on every device. Track changes over time. Alert on new links under sensitive parents. Coordinate with platform owners so integrity checks do not block legitimate updates or cloud-sync features. Above all, treat EDR health as a monitored asset and watch for quiet failures, not only explicit errors.
𝐅𝐀𝐐𝐬
𝐃𝐨𝐞𝐬 𝐭𝐡𝐢𝐬 𝐫𝐞𝐪𝐮𝐢𝐫𝐞 𝐤𝐞𝐫𝐧𝐞𝐥-𝐦𝐨𝐝𝐞 𝐜𝐨𝐝𝐞?
No. It abuses supported filter behavior but still needs administrative privileges.
𝐖𝐢𝐥𝐥 𝐄𝐃𝐑 𝐢𝐧 𝐛𝐥𝐨𝐜𝐤 𝐦𝐨𝐝𝐞 𝐬𝐭𝐨𝐩 𝐢𝐭?
Block mode helps, yet path misdirection can still degrade telemetry. Always validate block mode after remediation.
𝐖𝐡𝐚𝐭 𝐬𝐡𝐨𝐮𝐥𝐝 𝐰𝐞 𝐦𝐨𝐧𝐢𝐭𝐨𝐫 𝐥𝐨𝐧𝐠 𝐭𝐞𝐫𝐦?
Track bind link creation, minifilter altitudes, Defender health, and event volume trends. Alert on gaps and drift rather than waiting for a single error log.
