This article discusses how threat actors can exploit the Bind Link API in Windows 11 to redirect EDR folders to locations under their control, allowing them to tamper with EDR operations. It details a proof of concept tool called EDR-Redir that demonstrates this technique and highlights detection strategies for security teams.