SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Australia
Bitdefender flags Windows bind links that blind EDR

Bitdefender flags Windows bind links that blind EDR

Thu, 16th Jul 2026 (Today)
Mark Tarre
MARK TARRE News Chief

Bitdefender has identified three Windows attack techniques that can blind endpoint detection and response tools. The methods abuse a legitimate Windows feature called bind links.

The research focuses on a mechanism that redirects a trusted file path to an attacker-controlled file without changing the original file on disk. Security tools may continue to see a clean, signed file while malicious code runs through the redirected path.

The issue affects Windows 10 RS4 and later, as well as Windows 11, once an attacker has local administrator access. That makes the finding relevant to a large share of corporate Windows fleets, where ransomware groups often seek administrator rights before deploying malware.

Three methods

Bitdefender documented three techniques that exploit bind links to defeat path-based security checks at kernel level.

The first, File-Binding, redirects a trusted file or DLL path to attacker-controlled content. This can be used to neutralise the Antimalware Scan Interface, interfere with EDR sensor DLLs and alter forensic logs.

The second, Process-Binding, applies the same approach to executables. In that case, the operating system reports that a trusted program is running while a different executable is launched.

The third, Silo-Binding, is the most advanced of the three. It creates two separate filesystem views, with malicious code running inside an isolated container while monitoring tools outside the container continue to see legitimate files.

In a live test, Bitdefender used that approach to run the credential theft tool Invoke-Mimikatz past EDR by disguising it as a trusted Windows system process. The same method could also affect built-in Windows security controls including AppLocker, Windows Firewall and Sysmon.

How it works

Bind links are handled by a Windows minifilter driver called bindflt.sys. The redirection exists in memory rather than as a persistent file, so it is not visible through normal file enumeration and disappears after a reboot.

That sets the technique apart from other methods used to disable endpoint tools. Ransomware operators already use so-called EDR killers as part of standard attack playbooks, but bind-link abuse does not rely on a vulnerable driver. Instead, it uses a documented Windows feature.

Microsoft assessed the issue as low severity because it requires administrator access. Bitdefender argued that the need for elevated privileges should not remove the need for detection, drawing a comparison with how the industry treats bring-your-own-vulnerable-driver tactics.

Broader findings

Alongside the bind-link research, Bitdefender found and reported a Docker Desktop flaw that allowed a non-administrator member of the docker-users group to escalate privileges to SYSTEM. Docker later updated its documentation to warn users after the disclosure.

The findings add to a broader debate in the security market over what happens after an attacker gains administrator rights inside a Windows environment. Many endpoint products focus heavily on prevention when a process starts, but the bind-link methods Bitdefender described are designed to exploit trust in the file path reported at launch.

Bitdefender said defenders should stop relying solely on the image path shown at process creation and instead recheck the underlying file whenever it is reopened. That reflects the core problem identified in the research: tools can make a decision based on one file path while the operating system resolves that path to different content at execution time.

Bitdefender also said a veto introduced in Windows 24H2 blocks some bind links, but described that as only a partial fix. That suggests defenders may need changes in both endpoint products and operating system behaviour to close the gap fully.

The research highlights a recurring tension in Windows security between legitimate system features and the ways attackers can repurpose them once they obtain privileged access. In this case, the concern is not a conventional software bug but the use of documented operating system behaviour to create a blind spot in monitoring and detection.

Every Windows 10 RS4+ and Windows 11 machine is exposed once an attacker has local administrator access, covering most Australian enterprise fleets.