Microsoft spends many resources every year patching possible security holes and empowering security application vendors to build better and more reliable products. In this context, it is always interesting to find out how new Windows features impact existing anti-malware solutions.
Bindlinks, are a new technology with features reminiscent of symbolic links which provide enhanced file and directory aliasing capabilities, but also introduce novel security concerns, especially when used inside a Silo. Although Microsoft considers local administrator privileges a sufficiently strong boundary, our research demonstrates that attackers can achieve significant defense evasion and privilege escalation techniques through bindlinks.
We built a new process impersonation method, similar to Hollowing and Doppelgänging, which we name “Silo-Binding”, enabling adversaries to bypass detection by masking malicious processes inside Silos as legitimate applications. We reveal critical side effects, including firewall evasion, stealthy DLL hijacking for code injection, and disruption of security solution sensors. Bindlinks’ capability to manipulate AMSI Providers, ETW event schema DLLs, and EDR Hooking DLLs underscores its considerable threat potential, as adversaries can disable endpoint protection mechanisms and evade forensic detection methods altogether. Furthermore, we highlighted how attackers can leverage bindlinks towards Volume Shadow Copies to access sensitive data or execute malicious processes from unexpected locations.
Finally, we explore bindlinks’ implications for Docker on Windows, showing how users within the seemingly limited “docker-users” group effectively possess administrator-level control if Windows Containers are enabled.
