Bitdefender security researchers published the first public technical analysis of three techniques that abuse Windows bind links — a legitimate operating system mechanism for creating virtual directory junctions — to conceal malicious binaries and DLLs from endpoint detection and response tools. The research, released on July 15, demonstrates that an attacker who gains filesystem write access can redirect what trusted Windows processes and security tools load at runtime, making malware appear to be a clean, legitimate file to active EDR scanners during execution.
Three Bind Link Techniques Bitdefender Documented Against EDR
Windows bind links are an OS-level feature that creates a virtual mapping between one filesystem path and another, allowing the system to redirect path resolution transparently at the kernel level. Bitdefender’s research documents how attackers can exploit this redirection capability to manipulate what security tools observe when they inspect running processes, loaded modules, and executing binaries. The three documented techniques operate at different layers and require different attacker access levels.
The research focuses on the gap between what a forensic analyst reviewing filesystem artifacts would see — the bind link redirect, which is detectable — and what an active EDR tool examining a running process during execution would observe, which may be the clean substitute file rather than the malicious payload.
File-Binding and Process-Binding: What Standard-User Write Access Enables
File-binding redirects a DLL or binary path that a trusted Windows process or security tool depends on, substituting an attacker-controlled file in its place. Bitdefender’s analysis uses the AMSI DLL as a concrete example: AMSI, the Antimalware Scan Interface, is the mechanism through which Windows security products scan PowerShell scripts, Office macros, and other scripted content before execution. By hijacking the path from which PowerShell loads amsi.dll and redirecting it to a fake, non-scanning AMSI implementation, an attacker using file-binding can cause PowerShell to run without any malware scanning — not by terminating AMSI but by replacing the scanning component with one that does nothing. Any DLL path that a trusted process or security tool relies on is a potential file-binding target.
Process-binding extends this concept to executables: instead of redirecting a DLL, it redirects the path of a malicious binary to resolve as an innocuous, legitimate executable — such as winver.exe. When an EDR tool queries the path of the running process binary, it receives the path of the legitimate executable, not the malware. The malware executes; the EDR sees a different, trusted file.
Both file-binding and process-binding require attacker-controlled write access to the filesystem in a location where the redirect can be inserted. This is achievable through any vulnerability that provides standard-user-level write access to a directory in the DLL search path, which includes a substantial range of common privilege escalation and file write vulnerabilities.
Silo-Binding: How Isolated Filesystem Views Hide Malware at Administrator Level
Silo-binding operates differently from the first two techniques. It creates isolated filesystem views using Windows silos — a kernel-level isolation primitive. Inside the silo, the malware resolves to the real malicious file and executes normally. Outside the silo, where EDR scanning tools operate, the same filesystem path appears to resolve to a different, legitimate file. Two opposing bind links enforce this split view, preventing cross-silo detection.
The practical limitation is that silo-binding requires administrator access and the ability to create user-defined Windows silos. This is a higher privilege bar than file-binding or process-binding, and it is the reason Microsoft classified Bitdefender’s findings as low severity overall. Microsoft’s stated position is that “a user with admin rights can already do a lot of damage” — acknowledging that the technique requires a privilege level where many other attack capabilities are already available.
However, the file-binding and process-binding techniques, which require only standard-user write access, operate below administrator level and represent a meaningful attack capability for attackers who have achieved initial access but not yet escalated privileges.
Microsoft’s Classification and What EDR Vendors Face in Detecting Bind Links
Microsoft reviewed Bitdefender’s research and classified these as low-severity findings. The company’s assessment is driven by the administrator access requirement for the most powerful technique — silo-binding — rather than by a technical argument that the redirect mechanism itself poses no risk.
Bitdefender’s research specifies that the bind links created by file-binding and process-binding are “global and detectable by external scanners” — meaning a forensic analyst or an EDR tool designed to audit bind links can find the redirect when scanning the filesystem at rest. The evasion window is during active execution: EDR tools examining running processes at the time of execution may observe the legitimate substituted file rather than the malicious payload.
The disclosure puts EDR vendors on notice that bind link abuse is a documented evasion technique. Detecting bind link creation events in audit logs and monitoring for unexpected redirects on DLL search paths — particularly paths associated with security tools like AMSI — gives defenders a behavioral indicator to watch for independent of Microsoft’s severity classification.
