From 7c81c89632facca98c4e2657a8c161e6e0f2a754 Mon Sep 17 00:00:00 2001 From: rabbitstack Date: Wed, 20 May 2026 12:37:00 +0200 Subject: [PATCH] feat(rules): Add BindFlt DLL loaded by an unusual process Detects the loading of bindfltapi.dll, bindflt.dll, or bindlink.dll DLL family that represents user-mode API surface of the Windows Bind Filter driver (bindflt.sys) by processes outside the known legitimate consumer set. The Bind Filter driver allows administrator-level callers to create transparent, application-invisible redirections from a virtual file system path to an arbitrary local or remote backing path. While legitimately used by WSL2, Windows Containers, Windows Sandbox, Hyper-V, and MSIX packaging, this capability has been weaponised in multiple public tools to perform EDR and AV evasion. --- ...ndflt_dll_loaded_by_an_unusual_process.yml | 59 +++++++++++++++++++ 1 file changed, 59 insertions(+) create mode 100644 rules/defense_evasion_bindflt_dll_loaded_by_an_unusual_process.yml diff --git a/rules/defense_evasion_bindflt_dll_loaded_by_an_unusual_process.yml b/rules/defense_evasion_bindflt_dll_loaded_by_an_unusual_process.yml new file mode 100644 index 000000000..b8bf888c0 --- /dev/null +++ b/rules/defense_evasion_bindflt_dll_loaded_by_an_unusual_process.yml @@ -0,0 +1,59 @@ +name: BindFlt DLL loaded by an unusual process +id: fa439e69-2a73-49f9-8385-0e7f801f67db +version: 1.0.0 +description: | + Detects the loading of bindfltapi.dll, bindflt.dll, or bindlink.dll DLL family that + represents user-mode API surface of the Windows Bind Filter driver (bindflt.sys) + by processes outside the known legitimate consumer set. The Bind Filter driver allows + administrator-level callers to create transparent, application-invisible redirections + from a virtual file system path to an arbitrary local or remote backing path. + While legitimately used by WSL2, Windows Containers, Windows Sandbox, Hyper-V, and + MSIX packaging, this capability has been weaponised in multiple public tools to perform + EDR and AV evasion. +labels: + tactic.id: TA0005 + tactic.name: Defense Evasion + tactic.ref: https://attack.mitre.org/tactics/TA0005/ + technique.id: T1574 + technique.name: Hijack Execution Flow + technique.ref: https://attack.mitre.org/techniques/T1574/ +references: + - https://github.com/Nukem9/BindFltAPI + - https://github.com/TwoSevenOneT/EDR-Redir + - https://ipurple.team/2025/12/01/bind-link-edr-tampering/ + - https://www.zerosalarium.com/2025/10/DR-Redir-Break-EDR-Via-BindLink-Cloud-Filter.html + +condition: > + load_dll and + dll.name iin ('bindfltapi.dll', 'bindflt.dll', 'bindlink.dll') and + ps.exe not imatches + ( + '?:\\Windows\\System32\\svchost.exe', + '?:\\Windows\\System32\\wsl.exe', + '?:\\Windows\\System32\\wslhost.exe', + '?:\\Windows\\System32\\wslservice.exe', + '?:\\Windows\\System32\\vmcompute.exe', + '?:\\Windows\\System32\\vmwp.exe', + '?:\\Windows\\System32\\CExecSvc.exe', + '?:\\Windows\\System32\\WindowsSandboxClient.exe', + '?:\\Windows\\System32\\WindowsSandboxRemoteSession.exe', + '?:\\Windows\\System32\\ContainerManager.exe', + '?:\\Windows\\System32\\HvHost.exe', + '?:\\Windows\\System32\\msixmgr.exe', + '?:\\Program Files\\Docker\\Docker\\resources\\com.docker.backend.exe', + '?:\\Program Files\\Docker\\Docker\\Docker Desktop.exe', + '?:\\Users\\*\\AppData\\Local\\Docker\\Desktop\\Docker Desktop.exe' + ) and + not (ps.sid = 'S-1-5-18' and + ps.exe imatches + ( + '?:\\Windows\\System32\\*.exe', + '?:\\Windows\\SysWOW64\\*.exe' + ) and + ps.signature.subject imatches ('*Microsoft Windows*', '*Microsoft Corporation*') and ps.signature.trusted = true) +action: + - name: kill + +severity: high + +min-engine-version: 3.0.0