Endpoint/Device Security

Windows bind links exploited for EDR evasion

Windows 11 start button on computer menu screen close up view

As reported by Security Week, security researchers at Bitdefender have demonstrated three attack techniques that leverage Windows' bind links to evade endpoint detection and response (EDR) products. Bind links are a legitimate Windows feature that creates a virtual path, but when manipulated, they can redirect access to attacker-controlled files, effectively hiding malware.

The researchers detailed three methods: file-binding, process-binding, and silo-binding. File-binding involves hijacking DLL paths, such as AMSI.dll, to load malicious code invisibly. Process-binding extends this to executable images, making malicious processes appear as legitimate ones like winver.exe to EDRs. The most sophisticated technique, silo-binding, uses Windows silos to create isolated file system views, preventing detection by external scanners. This method requires administrator access and can bypass security defenses like AppLocker and EDRs.

Microsoft has classified the threat as low severity due to the administrator privilege requirement. However, Bitdefender argues that attackers frequently obtain such access, and this method provides a potent evasion tool for ransomware groups, bypassing the need for vulnerable drivers.

Source: Security Week

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds