The Bind Link API in Windows 11 allows administrators to create mappings from a virtual path to a backing path, which can help improve application compatibility. However, this feature can be exploited by threat actors to redirect folders containing Endpoint Detection and Response (EDR) files to locations where they have write access. The proof of concept tool EDR-Redir uses the bindflt.sys driver to achieve this redirection, enabling attackers to tamper with EDR operations or execute unauthorized code. EDR-Redir is executed through command-line instructions, allowing attackers to specify the virtual path (where the EDR is installed), the backing path (a folder they control), and the exception path (the EDR folder). By mimicking the legitimate EDR folder in a user-controlled location, attackers can drop malicious DLLs or executables, facilitating DLL hijacking and persistence. This technique poses a significant risk to the integrity of EDR systems since it can lead to undetected modifications and code execution under the EDR's context. Detection of this tactic relies on monitoring the bindflt driver and using tools like Sysmon to capture image load events. Specific Sysmon rules can identify when the bindfltapi.dll is loaded, which is an indicator of folder redirection attempts. Organizations should ensure their EDRs support monitoring for these activities to reduce false positives. The article also notes that several EDR solutions, like CrowdStrike and SentinelOne, have begun implementing BindFlt monitoring to mitigate these risks.