Bitdefender Uncovers Windows Bind Link Technique That Evades EDR Detection

 

Researchers at Bitdefender have discovered a new technique for hiding malware from Endpoint Detection and Response (EDR) solutions by utilizing bind links, a valid Windows feature. Despite Microsoft’s classification of this issue as low severity due to the fact that administrator privileges are required, Bitdefender maintains that the attack technique poses a significant risk since attackers frequently obtain elevated access during actual intrusions. 
The Bind Link feature is a valid kernel-level functionality that can be used by components such as Windows Sandboxes, Microsoft Store apps, and Windows containers to redirect virtual paths to actual system locations. As Bitdefender reports, attackers can manipulate these links so that trusted Windows paths point to malicious files instead of legitimate ones, enabling malware to execute while appearing harmless to security applications.
The issue affects Windows 10 RS4 and later versions, including Windows 11, meaning that most modern enterprise Windows systems may be vulnerable if attackers gain local administrator privileges. As a result, Bitdefender reports that this technique is particularly relevant as ransomware groups often seek elevated permissions before deploying malicious software or disabling security controls, making it particularly effective. 
Several attack methods were identified by researchers that abuse bind links. The first, file-binding, redirects trusted Dynamic Link Libraries (DLLs) paths to malicious DLLs, thus allowing attackers to bypass security mechanisms such as the Antimalware Scan Interface (AMSI). Second, process-binding tricks EDR solutions into inspecting trusted executables while a malicious file is actually being executed. 
By using Windows silos to create isolated filesystem views, silo-binding is the most advanced technique. Using this technique, malware is permitted to run within the silo while external security tools will only view clean, legitimate files. By disguising Invoke-Mimikatz as a trusted Windows system process, Bitdefender successfully bypassed an EDR solution by demonstrating the technique in practice. 
In addition to bypassing built-in Windows security measures such as AppLocker, Windows Firewall, and Sysmon, researchers observed that bind-link abuse was an effective post-compromise evasion technique. A legitimate Windows capability is exploited by bind-link abuse, unlike traditional “EDR killer” techniques which often rely upon vulnerable drivers. 
Instead of creating a permanent file on disk, the malicious redirection occurs only in memory via the Windows’ bindflt.sys minifilter driver. Although Microsoft acknowledged these findings, they rated the issue as low severity since it requires local administrator privileges to exploit it.
A ransomware group and advanced threat actor routinely obtain elevated privileges after compromising a computer system, according to Bitdefender, who disagreed with that assessment. 
Using bind-link abuse is similar to the increasingly common Bring Your Own Vulnerable Driver (BYOVD) approach, as attackers are able to evade endpoint protection similarly, but utilizing legitimate Windows functionality rather than vulnerable drivers for evasion.
To detect path manipulation, endpoint security products should repeatedly verify the underlying file during execution to detect path manipulation. 
In addition, Bitdefender recommen

[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.

This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents

Read the original article: