Bitdefender researchers demonstrated three bind link abuse techniques in Windows that can let attackers evade EDR visibility, including file-binding, process-binding, and silo-binding. The findings show how legitimate Windows features such as bindflt.sys, Store apps, Windows Sandbox, and containers can be manipulated to hide payloads and bypass defenses like AMSI, AppLocker, Windows Firewall, Sysmon, and even detection of Mimikatz. #Bitdefender #bindflt.sys #AMSI.dll #Mimikatz #Sysmon
Keypoints
- Bitdefender identified three Windows bind link abuse techniques for EDR evasion.
- File-binding can redirect trusted DLL paths to attacker-controlled files.
- Process-binding can make a malicious executable appear as a harmless trusted file.
- Silo-binding uses Windows silos to create different file views inside and outside the silo.
- The techniques can bypass defenses such as AMSI, AppLocker, Windows Firewall, Sysmon, and Mimikatz detection.
Read More: https://www.securityweek.com/windows-bind-link-attacks-can-hide-malware-from-edr-tools/