Safety researcher TwoSevenOneT has launched EDR-Redir V2, an upgraded evasion instrument that exploits Home windows bind hyperlink expertise to bypass endpoint detection and response options on Home windows 11.
The brand new model demonstrates a classy strategy to redirecting safety software program by manipulating father or mother directories fairly than immediately concentrating on protected EDR folders.
Novel Assault Methodology Targets Dad or mum Folders
Not like the unique EDR-Redir instrument that created bind hyperlinks on to antivirus and EDR executable folders, model 2 employs a distinct technique concentrating on father or mother directories comparable to Program Recordsdata or ProgramData.
The researcher found that whereas EDR options defend their working folders from unauthorized file writing, they can’t forestall modifications to father or mother directories with out disrupting reputable software program installations throughout the system.
The approach creates a round bind hyperlink construction the place folders level again to themselves by an attacker-controlled non permanent listing.
EDR-Redir V2 first queries all subfolders throughout the goal father or mother listing, then creates corresponding folders in an attacker-controlled location like C:TMPTEMPDIR.
The instrument establishes bind hyperlinks making a loop that causes folder entry to circle again by the non permanent listing, intentionally excluding the EDR’s particular folder from this loop.
In a proof-of-concept demonstration, the researcher efficiently redirected Home windows Defender on Home windows 11. Home windows Defender operates from C:ProgramDataMicrosoftWindows Defender, making the ProgramDataMicrosoft folder the assault goal.
Working EDR-Redir with particular parameters efficiently pressured Home windows Defender to understand the attacker-controlled non permanent listing as its father or mother folder, enabling potential DLL hijacking assaults.
The instrument execution requires three parameters: the folder to redirect, the goal location, and the exception folder that ought to stay unlinked.
Throughout execution, EDR-Redir shows console details about created bind hyperlinks for monitoring functions, confirming profitable redirection of the safety software program.
The researcher suggests this system might have an effect on quite a few antivirus and EDR options, as many builders could not anticipate father or mother directories like Program Recordsdata being redirected throughout regular operations.
As soon as an attacker efficiently compromises the father or mother folder, EDR safety of working directories turns into ineffective.
The approach opens pathways for DLL hijacking by permitting attackers to drop malicious executable information into the redirected non permanent listing.
Safety groups can defend in opposition to this assault vector by implementing monitoring for bind hyperlink creation makes an attempt concentrating on crucial system folders like Program Recordsdata and ProgramData.
The instrument is publicly out there on GitHub, elevating considerations about potential exploitation by menace actors concentrating on enterprise environments.
Organizations operating Home windows 11 with varied EDR options ought to consider their vulnerability to father or mother folder redirection methods and implement applicable bind hyperlink monitoring controls.
Observe us on Google Information, LinkedIn, and X to Get Immediate Updates and Set GBH as a Most popular Supply in Google.
