Windows Bind Link Attacks Can Hide Malware From EDR Tools

https://www.securityweek.com/wp-content/uploads/2024/10/Windows-Kernel-BSOD.jpg

Security researchers at Bitdefender have demonstrated three attack techniques in which Windows’ bind links can be used to evade endpoint detection and response (EDR) products.

Bind links are a legitimate Windows feature implemented by bindflt.sys and used by Store apps, Windows Sandbox, and Windows containers. They are a kernel-level redirection mechanism creating a virtual path that transparently maps onto the real backing path.

However, if the bind link is altered so the backing path points to a file controlled by an attacker, then that file is accessed effectively invisibly. Under certain circumstances, this could lead to loading hidden malware while all the system sees is a visible link pointing at a known innocuous file.

For example, report the researchers, if the backing path is, “Pointed at a DLL, it becomes file-binding: a process loads an attacker’s file from a path it trusts.”

The security problem arises because defenses are heavily...

Copyright of this story solely belongs to securityweek.com. To see the full text click HERE

Read more