Security researchers at Bitdefender have demonstrated three attack techniques in which Windows’ bind links can be used to evade endpoint detection and response (EDR) products.
Bind links are a legitimate Windows feature implemented by bindflt.sys and used by Store apps, Windows Sandbox, and Windows containers. They are a kernel-level redirection mechanism creating a virtual path that transparently maps onto the real backing path.
However, if the bind link is altered so the backing path points to a file controlled by an attacker, then that file is accessed effectively invisibly. Under certain circumstances, this could lead to loading hidden malware while all the system sees is a visible link pointing at a known innocuous file.
For example, report the researchers, if the backing path is, “Pointed at a DLL, it becomes file-binding: a process loads an attacker’s file from a path it trusts.”
The security problem arises because defenses are heavily reliant on paths. If it is a valid and expected Windows path, most defenses ignore or allow it. Bind links appear to be valid, so they are ignored even though they may have been manipulated to invisibly lead to malicious content. “The attacker changes file resolution and lets a trusted Windows component do the rest.”







