EDR-Redir uses a Bind Filter (mini filter bindflt.sys) to redirect the Endpoint Detection and Response (EDR) 's working folder to a folder of the attacker's choice. Alternatively, it can make the folder appear corrupt to prevent the EDR's process services from functioning.
EDR-Redir.exe bind <VirtualPath> <BackingPath>
To create bind link from VirtualPath to BackingPath
EDR-Redir.exe bind <VirtualPath> <BackingPath> <ExceptionPath>
Powerfull mode to create bind link from VirtualPath to BackingPath. Exclude ExceptionPath
ExceptionPath often is Antivirus/EDR path. Use this mode when you want to redirect folder like Program Files, Program Files (x86),...
EDR-Redir.exe bind <VirtualPath>
To remove a link that was previously created
Using EDR-Redir To Break EDR Via Bind Link and Cloud Filter
EDR-Redir V2: Blind EDR With Fake Program Files
- Microsoft Windows Defender, Elastic Defend, Sophos Intercept X, ESET Premium, CrowdStrike Falcon
- ...
Youtube EDR-Redir V1: https://www.youtube.com/watch?v=2_tanx7RSUw
Youtube EDR-Redir V2: https://youtu.be/PbXPChdWy3E
Essential hardware tools that every security researcher and hacker should have in their toolkit:
Essential Tools For Security Researcher and Hacker
Some books you should read to sharpen your cybersecurity skills, especially in offensive security:
Books on Programming and Cybersecurity recommended by Zero Salarium Researchers