Researchers at Bitdefender have discovered a new technique for hiding malware from Endpoint Detection and Response (EDR) solutions by utilizing bind links, a valid Windows feature. Despite Microsoft's classification of this issue as low severity due to the fact that administrator privileges are required, Bitdefender maintains that the attack technique poses a significant risk since attackers frequently obtain elevated access during actual intrusions.
The Bind Link feature is a valid kernel-level functionality that can be used by components such as Windows Sandboxes, Microsoft Store apps, and Windows containers to redirect virtual paths to actual system locations. As Bitdefender reports, attackers can manipulate these links so that trusted Windows paths point to malicious files instead of legitimate ones, enabling malware to execute while appearing harmless to security applications.
The issue affects Windows 10 RS4 and later versions, including Windows 11, meaning that most modern enterprise Windows systems may be vulnerable if attackers gain local administrator privileges. As a result, Bitdefender reports that this technique is particularly relevant as ransomware groups often seek elevated permissions before deploying malicious software or disabling security controls, making it particularly effective.
Several attack methods were identified by researchers that abuse bind links. The first, file-binding, redirects trusted Dynamic Link Libraries (DLLs) paths to malicious DLLs, thus allowing attackers to bypass security mechanisms such as the Antimalware Scan Interface (AMSI). Second, process-binding tricks EDR solutions into inspecting trusted executables while a malicious file is actually being executed.
By using Windows silos to create isolated filesystem views, silo-binding is the most advanced technique. Using this technique, malware is permitted to run within the silo while external security tools will only view clean, legitimate files. By disguising Invoke-Mimikatz as a trusted Windows system process, Bitdefender successfully bypassed an EDR solution by demonstrating the technique in practice.
In addition to bypassing built-in Windows security measures such as AppLocker, Windows Firewall, and Sysmon, researchers observed that bind-link abuse was an effective post-compromise evasion technique. A legitimate Windows capability is exploited by bind-link abuse, unlike traditional "EDR killer" techniques which often rely upon vulnerable drivers.
Instead of creating a permanent file on disk, the malicious redirection occurs only in memory via the Windows' bindflt.sys minifilter driver. Although Microsoft acknowledged these findings, they rated the issue as low severity since it requires local administrator privileges to exploit it.
A ransomware group and advanced threat actor routinely obtain elevated privileges after compromising a computer system, according to Bitdefender, who disagreed with that assessment.
Using bind-link abuse is similar to the increasingly common Bring Your Own Vulnerable Driver (BYOVD) approach, as attackers are able to evade endpoint protection similarly, but utilizing legitimate Windows functionality rather than vulnerable drivers for evasion.
To detect path manipulation, endpoint security products should repeatedly verify the underlying file during execution to detect path manipulation.
In addition, Bitdefender recommended that security vendors refrain from solely using trusted file paths when validating processes. Moreover, the researchers noted that Windows 24H2 offers protection against certain bind-link scenarios, although they described the safeguard as only a partial one.
The findings of Bitdefender have been shared with Microsoft and the company has recommended strengthening monitoring of administrator-level activity and kernel-level filesystem changes.
In spite of the low severity of the issue, researchers report that attackers are increasingly utilizing legitimate Windows features rather than exploiting software vulnerabilities, resulting in a new challenge to endpoint security.
Bitdefender's findings illustrate the importance of stronger endpoint security beyond trustable file paths as attackers continue to exploit legitimate Windows features to evade detection. To protect against evolving post-compromise threats, organizations should closely monitor privileged activity and employ advanced detection techniques.