From 338534e85642966029f9a6289f6806c2dcfcd938 Mon Sep 17 00:00:00 2001 From: rabbitstack Date: Wed, 24 Jun 2026 17:54:38 +0200 Subject: [PATCH] fix(rules): Improve Suspicious virtual path redirection rule The rule event condition is changed to open_file, as bind filter doesn't create any directories/files on the file system. The attack target is narrowed to file locations of interes, and more hardening against false positives is added. Finally, the rule is renamed to precisely convey the intent. --- ...on_suspicious_virtual_path_redirection.yml | 54 -------------- ...rtual_path_redirection_via_bind_filter.yml | 71 +++++++++++++++++++ 2 files changed, 71 insertions(+), 54 deletions(-) delete mode 100644 rules/defense_evasion_suspicious_virtual_path_redirection.yml create mode 100644 rules/defense_evasion_suspicious_virtual_path_redirection_via_bind_filter.yml diff --git a/rules/defense_evasion_suspicious_virtual_path_redirection.yml b/rules/defense_evasion_suspicious_virtual_path_redirection.yml deleted file mode 100644 index d2b15738b..000000000 --- a/rules/defense_evasion_suspicious_virtual_path_redirection.yml +++ /dev/null @@ -1,54 +0,0 @@ -name: Suspicious virtual path redirection -id: 71a7ba01-a7a9-428a-8704-72b200f9b43c -version: 1.0.0 -description: | - Detects attempts to create files in user-writable or system-temporary locations - where the thread call stack shows use of APIs commonly involved in virtual-path - redirection / bind filter registration. - Attackers sometimes abuse virtual-path redirection, filter drivers, or cloud-sync - registration to place malicious payloads in locations that are later resolved or - served via trusted paths to evade detection or gain persistence. -labels: - tactic.id: TA0005 - tactic.name: Defense Evasion - tactic.ref: https://attack.mitre.org/tactics/TA0005/ - technique.id: T1562 - technique.name: Impair Defenses - technique.ref: https://attack.mitre.org/techniques/T1562/ - subtechnique.id: T1562.001 - subtechnique.name: Disable or Modify Tools - subtechnique.ref: https://attack.mitre.org/techniques/T1562/001 -references: - - https://github.com/TwoSevenOneT/EDR-Redir - - https://www.zerosalarium.com/2025/10/DR-Redir-Break-EDR-Via-BindLink-Cloud-Filter.html - -condition: > - create_file and - evt.pid != 4 and thread.callstack.symbols imatches ('ntdll.dll!*DeviceIoControlFile') and - thread.callstack.symbols imatches ('bindfltapi.dll!BfSetupFilter', 'cldapi.dll!CfRegisterSyncRoot') and - file.path imatches - ( - '?:\\Users\\*\\AppData\\Local\\Temp\\*', - '?:\\Users\\*\\AppData\\Local\\VirtualStore\\*', - '?:\\Users\\*\\AppData\\Roaming\\*', - '?:\\Users\\Public\\*', - '?:\\Users\\*\\Pictures\\*', - '?:\\Users\\*\\Music\\*', - '?:\\ProgramData\\*', - '?:\\Windows\\Tasks\\*', - '?:\\Windows\\System32\\Tasks\\*', - '?:\\Windows\\Temp\\*', - '?:\\Windows\\tracing\\*', - '?:\\Temp\\*', - '?:\\Tmp\\*', - '?:\\PerfLogs\\*', - '?:\\$Recycle.Bin\\*', - '?:\\Intel\\*', - '?:\\AMD\\Temp\\*' - ) - -output: > - Suspicious virtual path redirection mapped to %file.path by process %ps.exe -severity: high - -min-engine-version: 3.0.0 diff --git a/rules/defense_evasion_suspicious_virtual_path_redirection_via_bind_filter.yml b/rules/defense_evasion_suspicious_virtual_path_redirection_via_bind_filter.yml new file mode 100644 index 000000000..ca9c5b87a --- /dev/null +++ b/rules/defense_evasion_suspicious_virtual_path_redirection_via_bind_filter.yml @@ -0,0 +1,71 @@ +name: Suspicious virtual path redirection via bind filter +id: 71a7ba01-a7a9-428a-8704-72b200f9b43c +version: 2.0.0 +description: | + Detects attempts to open files or directories under security software parent paths + where the calling thread's stack shows active use of the Bind Filter API + (BfSetupFilter) or Cloud Filter API (CfRegisterSyncRoot) routed through a kernel + DeviceIoControlFile call. This combination is the precise behavioural fingerprint + of EDR redirection attacks, which enumerate and mirror subdirectories under parent + directories such as Program Files or ProgramData to construct bind link loops that + blind security products without disrupting other software. +labels: + tactic.id: TA0005 + tactic.name: Defense Evasion + tactic.ref: https://attack.mitre.org/tactics/TA0005/ + technique.id: T1562 + technique.name: Impair Defenses + technique.ref: https://attack.mitre.org/techniques/T1562/ + subtechnique.id: T1562.001 + subtechnique.name: Disable or Modify Tools + subtechnique.ref: https://attack.mitre.org/techniques/T1562/001 +references: + - https://github.com/TwoSevenOneT/EDR-Redir + - https://www.zerosalarium.com/2025/10/DR-Redir-Break-EDR-Via-BindLink-Cloud-Filter.html + +condition: > + open_file and + evt.pid != 4 and thread.callstack.symbols imatches ('ntdll.dll!*DeviceIoControlFile') and + thread.callstack.symbols imatches ('bindfltapi.dll!BfSetupFilter', 'cldapi.dll!CfRegisterSyncRoot') and + file.path imatches + ( + '?:\\Temp\\*', + '?:\\Program Files\\*', + '?:\\Windows', + '?:\\Windows\\System32', + '?:\\Windows\\SysWOW64', + '?:\\Program Files (x86)\\*', + '?:\\ProgramData\\Microsoft\\*' + ) and + ps.exe not imatches + ( + '?:\\Windows\\System32\\RuntimeBroker.exe', + '?:\\Windows\\System32\\SearchProtocolHost.exe', + '?:\\Windows\\System32\\svchost.exe', + '?:\\Windows\\System32\\sihost.exe', + '?:\\Windows\\System32\\explorer.exe', + '?:\\Windows\\System32\\ShellHost.exe', + '?:\\Windows\\System32\\FileSyncConfig.exe', + '?:\\Windows\\System32\\svchost.exe', + '?:\\Windows\\System32\\wsl.exe', + '?:\\Windows\\System32\\wslhost.exe', + '?:\\Windows\\System32\\wslservice.exe', + '?:\\Windows\\System32\\vmcompute.exe', + '?:\\Windows\\System32\\vmwp.exe', + '?:\\Windows\\System32\\CExecSvc.exe', + '?:\\Windows\\System32\\WindowsSandboxClient.exe', + '?:\\Windows\\System32\\WindowsSandboxRemoteSession.exe', + '?:\\Windows\\System32\\ContainerManager.exe', + '?:\\Windows\\System32\\HvHost.exe', + '?:\\Windows\\System32\\msixmgr.exe', + '?:\\Program Files\\Microsoft OneDrive\\*\\OneDrive.exe', + '?:\\Program Files\\Microsoft OneDrive\\*\\FileCoAuth.exe' + ) +action: + - name: kill + +output: > + Suspicious virtual path redirection targeting %file.path by process %ps.exe +severity: high + +min-engine-version: 3.0.0