EDR-Redir V2 demonstrates a technique to redirect a security softwareβs operating folder by creating a bind-link loop between Program Files and a controlled TEMPDIR, enabling DLL hijacking to activate in place of the EDR. The experiment, using Windows Defender on Windows 11, shows that protecting parent folders, rather than just the EDRβs own directory, can be bypassed and highlights the need for monitoring bind-link tampering. #EDRRedir #WindowsDefender #Windows11 #ProgramFiles #DLLHijacking
Keypoints
- The V2 version of EDR-Redir uses a bind-link technique to redirect the Program Files folder through a controlled TEMPDIR.
- It relies on EDRsβ protection of their operating folders while not preventing writes to their parent folders.
- The implementation involves mapping Program Files folders to C:TMPTEMPDIR and creating loops between Program Files and TEMPDIR to redirect access.
- DLL hijacking is used within TEMPDIR to drop executables that can activate in place of the EDR.
- Defenders should monitor bind-link activity on critical folders like Program Files to detect tampering, as many EDRs could be affected.
Read More: https://www.zerosalarium.com/2025/11/EDR-Redir-V2-Blind-EDR-With-Fake-Program-Files.html