EDR-Redir uses a Bind Filter (mini filter bindflt.sys) and the Windows Cloud Filter API (cldflt.sys) to redirect the Endpoint Detection and Response (EDR) 's working folder to a folder of the attacker's choice. Alternatively, it can make the folder appear corrupt to prevent the EDR's process services from functioning.
EDR-Redir.exe bind <VirtualPath> <BackingPath>
To create bind link from VirtualPath to BackingPath
EDR-Redir.exe bind <VirtualPath>
To remove a link that was previously created
EDR-Redir.exe cloud <SyncRootPath> create
To register cloud sync root folder
EDR-Redir.exe cloud <SyncRootPath>
To remove a syncroot that was previously created
Using EDR-Redir To Break EDR Via Bind Link and Cloud Filter
- Microsoft Windows Defender
- Elastic Defend
- Sophos Intercept X
Youtube: https://www.youtube.com/watch?v=2_tanx7RSUw
Some books you should read to sharpen your cybersecurity skills, especially in offensive security:
Books on Programming and Cybersecurity recommended by Zero Salarium Researchers
