Novel Attack Techniques Abuse Windows Virtualization Feature to Evade EDR & Security

Bitdefender have released research documenting three previously undocumented attack techniques that abuse a legitimate Windows feature called bind links to bypass endpoint detection and response (EDR) and built-in Windows defenses, including AMSI, AppLocker, Windows Firewall, and Sysmon.

The techniques abuse a virtualization feature built into Windows 10 RS4+ and Windows 11 to redirect trusted file paths to attacker-controlled files — without modifying files on disk.

Key findings:

  • Three novel bind link attack techniques (File-Binding, Process-Binding, and Silo-Binding) evade security detection at the kernel level
  • Silo-Binding, the most advanced of the three, splits the filesystem into two views so malicious code executes inside an isolated container while security tools outside see only clean, legitimate files
  • Bitdefender successfully verified the techniques in a live environment, bypassing EDR defenses with the infostealer Invoke-Mimikatz 

You can read the report here:https://businessinsights.bitdefender.com/bind-link-abuses-windows-feature-edr-evasion-technique.

Leave a Reply

Discover more from The IT Nerd

Subscribe now to keep reading and get access to the full archive.

Continue reading