The Bitdefender company has identified three new, unprecedented attack techniques that take advantage of a legitimate functionality of Windows file system virtualization. These techniques allow you to evade endpoint detection and response (EDR) solutions and built-in security mechanisms such as AMSI, AppLocker, Windows Firewall, and Sysmon.

Bitdefender research reveals how cybercriminals can abuse so-called bind links, a feature used legitimately by Windows containers, Microsoft Store applications, and Windows Sandbox, to hide malicious activity from security tools without modifying a single file on disk.

Key findings from Bitdefender

· Bitdefender has named these new techniques File-Binding, Process-Binding and Silo-Binding, three methods designed to progressively overcome the detection limitations of the previous technique.

· Silo-Binding, the most advanced of the three techniques, splits the file system into two different views using Windows container isolation. This way, malware can run within an isolated environment while external security tools only look at legitimate, seemingly harmless files.

· Bitdefender has validated these techniques in a real-world environment, demonstrating their ability to bypass EDR defenses by running Invoke-Mimikatz, a well-known tool used for credential theft.

Bitdefender reported these findings to Microsoft. Although Microsoft classified these techniques as low severity due to the need for prior administrative privileges, Bitdefender researchers consider them to represent a higher risk as attackers have multiple methods to obtain such privileges on compromised systems, including widely used techniques such as BYOVD (Bring Your Own Vulnerable Driver). This research is available on the company’s website.