Bitdefender is warning that a legitimate Windows component,
The immediate takeaway for Windows administrators is not that a remote attacker can suddenly compromise every PC. Bitdefender’s techniques require local administrator rights first. But that prerequisite is far from a dismissal in a ransomware-era enterprise: attackers routinely pursue privileged access precisely to disable, evade, or degrade defenses before credential theft, lateral movement, and encryption.
Microsoft reportedly assessed the disclosure as low severity because of that administrator requirement. Bitdefender’s argument is more practical: administrator access should not become an automatic EDR blind spot. That is the same post-compromise problem behind bring-your-own-vulnerable-driver attacks, except bind-link abuse does not require loading a known-vulnerable driver. It uses a documented Windows virtualization feature already present in the operating system.
Windows bind links are a filesystem redirection mechanism handled by the Bind Filter minifilter driver,
The crucial detail is that a bind link is not an ordinary symbolic link or a filesystem reparse point. It does not have to create a visible object on disk at the virtual path, and it can shadow a file that already exists. The clean original can remain intact, signed, and available to ordinary file enumeration, while the kernel redirects opens of that path to a different backing file.
That redirection is held in Bind Filter’s in-memory mapping state and normally disappears after restart or removal. For defenders, this means familiar checks can return reassuring but incomplete evidence: a trusted executable may still be present in
According to Bitdefender, the fundamental broken assumption is simple: security products often make policy, reputation, signature, hashing, and telemetry decisions based on a reported image path. Bind links can split the path from the file actually handed to the requesting process.
The scope cited by the researchers is broad. They say the primitive is available on Windows 10 version 1803—also known as RS4—and later, plus Windows 11, once an attacker has administrative access. That encompasses a substantial portion of managed Windows estates still in service.
AMSI is a particularly important target because it is used by PowerShell, script hosts, and Office-related script execution paths. In a conventional attack, tampering with
The second technique, Process-Binding, applies the same idea to executable images. Bitdefender’s demonstration maps a trusted executable path to a different executable, creating a mismatch between the process identity reported to some observers and the image that actually runs.
This is not process injection, process hollowing, or a typical DLL side-loading chain. The process begins through a normal Windows launch flow, but its apparent image path can diverge from the backing executable. That matters for security controls that allow or block activity based on an executable’s location, publisher, signature, or path-derived reputation.
Bitdefender notes that plain Process-Binding has weaknesses from an attacker’s perspective: because the binding is global, another tool may reopen the path and observe signs of the discrepancy. That leads to the third technique, which is the most consequential.
Silo-Binding uses Windows silos—the isolation construct associated with containers and similar boundaries—to create separate filesystem views. Inside the silo, a trusted-looking path can resolve to a malicious payload. Outside the silo, a security product reopening that path or examining the payload’s location can be redirected to the clean original instead.
The result is a deliberately inconsistent reality. The malicious process runs inside the isolated context while EDR, AppLocker, Sysmon, a firewall rule, or an asynchronous scanner outside that context sees the legitimate file. Bitdefender demonstrated the approach with Invoke-Mimikatz, a credential-theft tool, apparently running under the identity of
That is why the research matters beyond one product or one bypass. It challenges the notion that a later scan, a rehash, or a second file open independently validates what ran at process creation time. Under Silo-Binding, the same filename can yield a different answer depending on who is asking and from which execution context.
That is useful, but Bitdefender describes it as a partial mitigation rather than a universal fix. The veto applies only to bind links on the system boot partition, and the filtering driver must be positioned below Bind Filter to intercept the relevant request. Older Windows versions do not have this capability, and the researchers say the creation-time veto can be bypassed in some scenarios.
The practical implication is that simply moving an organization to Windows 11 24H2 does not automatically neutralize the technique. The operating system provides a mechanism endpoint vendors can use, but detection and prevention still depend on whether the security stack is architected to query and validate the actual backing file.
Microsoft’s own bind-link documentation reinforces why this is difficult: bind links are intentionally transparent to applications, and existing APIs operate without awareness of the redirection. That is a feature for supported virtualization workloads. It becomes a security problem when monitoring tools assume transparency also means identity.
Administrators should ask whether their product resolves the true backing file rather than trusting the image path supplied during process-creation notification. They should also ask whether that verification happens again when the product later hashes, scans, disinfects, or otherwise reopens the file.
A useful internal validation plan should include the following defensive checks:
No active criminal use of Bitdefender’s newly named File-Binding, Process-Binding, or Silo-Binding techniques has been publicly established in the reporting so far. But the research provides a clear post-compromise playbook, and the underlying capability is neither a third-party driver bug nor a fragile exploit chain.
For Windows defenders, the durable lesson is that a file path is not a file identity. Windows 11 24H2 provides a limited veto mechanism, but the more important next step is vendor-side: endpoint products need to resolve and re-resolve the backing object behind a path before treating it as evidence of what actually executed.
bindflt.sys, can be abused after a local administrator compromise to make endpoint security products inspect a clean file while malicious code executes through the same apparent path. The research, published July 15 by Bitdefender Labs and independently reported by CSO Online, describes three techniques—File-Binding, Process-Binding, and Silo-Binding—that can undermine path-based trust in EDR, AppLocker, Windows Firewall, Sysmon, AMSI, and forensic tools.The immediate takeaway for Windows administrators is not that a remote attacker can suddenly compromise every PC. Bitdefender’s techniques require local administrator rights first. But that prerequisite is far from a dismissal in a ransomware-era enterprise: attackers routinely pursue privileged access precisely to disable, evade, or degrade defenses before credential theft, lateral movement, and encryption.
Microsoft reportedly assessed the disclosure as low severity because of that administrator requirement. Bitdefender’s argument is more practical: administrator access should not become an automatic EDR blind spot. That is the same post-compromise problem behind bring-your-own-vulnerable-driver attacks, except bind-link abuse does not require loading a known-vulnerable driver. It uses a documented Windows virtualization feature already present in the operating system.
A trusted path can no longer be treated as a trusted file
Windows bind links are a filesystem redirection mechanism handled by the Bind Filter minifilter driver, bindflt.sys. Microsoft documents bind links as a way to associate a local virtual path with a backing path, supporting legitimate scenarios including Windows containers, Windows Sandbox, and application virtualization.The crucial detail is that a bind link is not an ordinary symbolic link or a filesystem reparse point. It does not have to create a visible object on disk at the virtual path, and it can shadow a file that already exists. The clean original can remain intact, signed, and available to ordinary file enumeration, while the kernel redirects opens of that path to a different backing file.
That redirection is held in Bind Filter’s in-memory mapping state and normally disappears after restart or removal. For defenders, this means familiar checks can return reassuring but incomplete evidence: a trusted executable may still be present in
C:\Windows\System32, its hash may be correct when examined conventionally, and yet an application opening that same path could receive attacker-controlled content.According to Bitdefender, the fundamental broken assumption is simple: security products often make policy, reputation, signature, hashing, and telemetry decisions based on a reported image path. Bind links can split the path from the file actually handed to the requesting process.
The scope cited by the researchers is broad. They say the primitive is available on Windows 10 version 1803—also known as RS4—and later, plus Windows 11, once an attacker has administrative access. That encompasses a substantial portion of managed Windows estates still in service.
Three escalating ways to hide activity
Bitdefender’s first technique, File-Binding, targets a file or DLL path trusted by a Windows component or endpoint product. Rather than modifying the legitimate file, an attacker redirects the trusted path to malicious content. The company says this could interfere with AMSI, user-mode EDR sensor DLLs, Event Tracing for Windows providers, and some forensic artifacts.AMSI is a particularly important target because it is used by PowerShell, script hosts, and Office-related script execution paths. In a conventional attack, tampering with
amsi.dll or related scanning logic risks leaving an obvious on-disk change, a suspicious memory patch, or both. File-Binding shifts the point of manipulation to filesystem resolution: the application asks for the trusted library, but the kernel supplies another file.The second technique, Process-Binding, applies the same idea to executable images. Bitdefender’s demonstration maps a trusted executable path to a different executable, creating a mismatch between the process identity reported to some observers and the image that actually runs.
This is not process injection, process hollowing, or a typical DLL side-loading chain. The process begins through a normal Windows launch flow, but its apparent image path can diverge from the backing executable. That matters for security controls that allow or block activity based on an executable’s location, publisher, signature, or path-derived reputation.
Bitdefender notes that plain Process-Binding has weaknesses from an attacker’s perspective: because the binding is global, another tool may reopen the path and observe signs of the discrepancy. That leads to the third technique, which is the most consequential.
Silo-Binding uses Windows silos—the isolation construct associated with containers and similar boundaries—to create separate filesystem views. Inside the silo, a trusted-looking path can resolve to a malicious payload. Outside the silo, a security product reopening that path or examining the payload’s location can be redirected to the clean original instead.
The result is a deliberately inconsistent reality. The malicious process runs inside the isolated context while EDR, AppLocker, Sysmon, a firewall rule, or an asynchronous scanner outside that context sees the legitimate file. Bitdefender demonstrated the approach with Invoke-Mimikatz, a credential-theft tool, apparently running under the identity of
tiworker.exe, the Windows Modules Installer Worker process.That is why the research matters beyond one product or one bypass. It challenges the notion that a later scan, a rehash, or a second file open independently validates what ran at process creation time. Under Silo-Binding, the same filename can yield a different answer depending on who is asking and from which execution context.
Windows 11 24H2 adds a brake, not a complete fix
Microsoft added a bind-link veto capability in Windows 11 version 24H2. Its driver documentation says a minifilter can reject a proposed bind link for paths it protects, potentially allowing an antivirus product to stop redirection involving sensitive directories.That is useful, but Bitdefender describes it as a partial mitigation rather than a universal fix. The veto applies only to bind links on the system boot partition, and the filtering driver must be positioned below Bind Filter to intercept the relevant request. Older Windows versions do not have this capability, and the researchers say the creation-time veto can be bypassed in some scenarios.
The practical implication is that simply moving an organization to Windows 11 24H2 does not automatically neutralize the technique. The operating system provides a mechanism endpoint vendors can use, but detection and prevention still depend on whether the security stack is architected to query and validate the actual backing file.
Microsoft’s own bind-link documentation reinforces why this is difficult: bind links are intentionally transparent to applications, and existing APIs operate without awareness of the redirection. That is a feature for supported virtualization workloads. It becomes a security problem when monitoring tools assume transparency also means identity.
Security teams need answers from their EDR vendor
Bitdefender says its GravityZone platform already detects this class of tampering, though the company has not published the implementation details. Every other EDR vendor should now be answering a more specific technical question than “do you detect process masquerading?”Administrators should ask whether their product resolves the true backing file rather than trusting the image path supplied during process-creation notification. They should also ask whether that verification happens again when the product later hashes, scans, disinfects, or otherwise reopens the file.
A useful internal validation plan should include the following defensive checks:
- Security teams should identify which endpoint controls rely on executable paths, including AppLocker policies, firewall rules, EDR exclusions, software allowlisting, and DLP rules.
- EDR vendors should confirm whether their Windows sensor enumerates active bind-link mappings, including silo-scoped mappings that may not appear in ordinary filesystem inspection.
- Organizations should treat unexpected local administrator access as an immediate containment event, even when endpoint telemetry appears benign or unusually quiet.
- Teams using Docker Desktop should review membership of the local
docker-usersgroup, following Bitdefender’s separate report of a path from that group to SYSTEM and Docker’s updated warning about its administrative implications.
docker-users could reach SYSTEM through Windows container bind mounts. Docker subsequently updated its documentation to warn that group members can elevate to administrator on the host.No active criminal use of Bitdefender’s newly named File-Binding, Process-Binding, or Silo-Binding techniques has been publicly established in the reporting so far. But the research provides a clear post-compromise playbook, and the underlying capability is neither a third-party driver bug nor a fragile exploit chain.
For Windows defenders, the durable lesson is that a file path is not a file identity. Windows 11 24H2 provides a limited veto mechanism, but the more important next step is vendor-side: endpoint products need to resolve and re-resolve the backing object behind a path before treating it as evidence of what actually executed.
References
- Primary source: SecurityBrief Australia
Published: 2026-07-16T02:50:00+00:00
Loading…
securitybrief.com.au - Official source: learn.microsoft.com
Vetoing a Bind Link - Windows drivers | Microsoft Learn
Minifilters can veto a bind link on the system boot partition starting in Windows 11, version 24H2.learn.microsoft.com - Related coverage: businessinsights.bitdefender.com
Bind Link Abuse: One Windows Feature, Many Ways to Blind Your EDR
A bind link is a building block that an attacker can combine into larger attacks. We've documented and named three such techniques in this new research.businessinsights.bitdefender.com - Related coverage: csoonline.com
New Windows Bind Link techniques let attackers evade EDR, security controls | CSO Online
The File-Binding, Process-Binding, and Silo-Binding techniques abuse Windows filesystem virtualization features to present trusted files to security products while malware executes undetected.www.csoonline.com
- Related coverage: itbrief.asia
Loading…
itbrief.asia