As reported by Security Week, security researchers at Bitdefender have demonstrated three attack techniques that leverage Windows' bind links to evade endpoint detection and response (EDR) products. Bind links are a legitimate Windows feature that creates a virtual path, but when manipulated, they can redirect access to attacker-controlled files, effectively hiding malware.The researchers detailed three methods: file-binding, process-binding, and silo-binding. File-binding involves hijacking DLL paths, such as AMSI.dll, to load malicious code invisibly. Process-binding extends this to executable images, making malicious processes appear as legitimate ones like winver.exe to EDRs. The most sophisticated technique, silo-binding, uses Windows silos to create isolated file system views, preventing detection by external scanners. This method requires administrator access and can bypass security defenses like AppLocker and EDRs.Microsoft has classified the threat as low severity due to the administrator privilege requirement. However, Bitdefender argues that attackers frequently obtain such access, and this method provides a potent evasion tool for ransomware groups, bypassing the need for vulnerable drivers.Source: Security Week
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds




