A new evasion technique disclosed by Bitdefender researchers highlights a critical blind spot in modern endpoint detection and response (EDR) architectures: Windows Bind Link Attacks. By manipulating the NTFS filesystem through bind links and mount points, adversaries can create conflicting filesystem views. This allows malicious software to exist in a state where standard security scanners see a benign or empty file path, while the operating system executes the malicious payload.
For SOC analysts and incident responders, this is a significant escalation in the arms race against defense evasion. If your EDR relies solely on user-mode hooks or standard file path enumeration, it is likely blind to payloads hidden using this method. We need to shift our detection strategy to focus on the creation of these filesystem artifacts rather than relying solely on file content scanning of the final path.
Technical Analysis
Affected Products & Platforms
- Platform: Microsoft Windows (Client and Server) utilizing NTFS.
- Mechanism: NTFS Reparse Points (specifically Mount Points and Bind Links).
How the Attack Works
The "Bind Link" attack leverages the flexibility of the NTFS filesystem to map two distinct file paths to a single set of data, or to redirect directory access transparently. Unlike standard symbolic links, bind links can create a scenario where a directory acts as a mount point for another volume or a completely different directory structure.
The Bitdefender research demonstrates that attackers can create a "conflicting view":
- The Malicious View: The attacker creates a bind link or mount point that points to a malicious executable or payload.
- The Clean View: When the EDR or scanner attempts to read the file path via the standard directory tree, the OS may present a different, legitimate file (or an empty file) due to how the junction resolution is handled in user-mode vs kernel-mode contexts.
This divergence allows the malware to execute (kernel resolving the link correctly) while remaining invisible to the security agent (user-mode agent resolving the link incorrectly or failing to traverse the reparse point).
Exploitation Status
- Status: Proof-of-Concept (PoC) demonstrated by researchers.
- Active Exploitation: While not yet widespread in commodity malware, this technique is expected to be rapidly adopted by sophisticated threat actors (APT groups and ransomware operators) to bypass next-gen AV/EDR solutions.
Detection & Response
Detecting bind link attacks requires hunting for the creation of the filesystem structures themselves, as the payload hiding "behind" them may be invisible to standard scans. We must monitor for administrative tools that manage reparse points.
Sigma Rules
---
title: Potential Bind Link Creation via Fsutil
id: 8a4b2c1d-5e6f-4a7b-8c9d-0e1f2a3b4c5d
status: experimental
description: Detects the use of fsutil.exe to create or query reparse points, which can be used for bind link attacks to hide files from EDR.
references:
- https://www.securityweek.com/windows-bind-link-attacks-can-hide-malware-from-edr-tools/
author: Security Arsenal
date: 2026/05/15
tags:
- attack.defense_evasion
- attack.t1021.002
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\fsutil.exe'
CommandLine|contains:
- 'reparsepoint'
- 'binding'
condition: selection
falsepositives:
- System administrators managing disk structures (rare in user endpoints)
level: high
---
title: Suspicious Mount Point Creation via Mountvol
id: 9b5c3d2e-6f7a-5b8c-9d0e-1f2a3b4c5d6e
status: experimental
description: Detects the use of mountvol.exe to create mount points, a technique used in bind link attacks to redirect file paths.
references:
- https://www.securityweek.com/windows-bind-link-attacks-can-hide-malware-from-edr-tools/
author: Security Arsenal
date: 2026/05/15
tags:
- attack.defense_evasion
- attack.t1070.006
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\mountvol.exe'
filter_legit:
User|contains:
- 'AUTHORI'
- 'SYSTEM'
condition: selection and not filter_legit
falsepositives:
- Legitimate administrative drive mounting
level: medium
KQL (Microsoft Sentinel / Defender)
This query hunts for processes spawning command-line tools associated with reparse point manipulation, specifically looking for non-system accounts attempting these actions.
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FolderPath endswith "\\fsutil.exe"
or FolderPath endswith "\\mountvol.exe"
or FolderPath endswith "\\cmd.exe"
or FolderPath endswith "\\powershell.exe"
| where ProcessCommandLine has "reparsepoint"
or ProcessCommandLine has "mountvol"
or ProcessCommandLine has "mklink"
| where AccountName !contains "ADMIN"
and AccountName !contains "SYSTEM"
| project Timestamp, DeviceName, AccountName, FolderPath, ProcessCommandLine, InitiatingProcessFileName
| order by Timestamp desc
Velociraptor VQL
Velociraptor can directly interrogate the NTFS metadata to find files with the ReparsePoint attribute set. This hunt identifies directories or files that are acting as bind links or junctions, regardless of whether an EDR can see the content behind them.
-- Hunt for reparse points which may indicate bind links or hidden mount points
SELECT FullPath, Size, Mtime, Atime,
Data.Type AS ReparseType, Data.SubstituteName AS TargetPath
FROM glob(globs="C:/Users/**", root="/")
WHERE Mode.IsReparsePoint
AND NOT FullPath =~ "^C:/Windows/AppReadiness"
AND NOT FullPath =~ "^C:/ProgramData/Microsoft/Windows/Start Menu"
Remediation Script (PowerShell)
Use this script to audit the current system for suspicious reparse points in user-writable directories where bind links are most likely to be planted.
# Audit Script: Detect Suspicious NTFS Reparse Points
# Identifies Junctions and Mount Points in User Profiles and Public folders
function Get-SuspiciousReparsePoints {
$pathsToScan = @(
"$env:PUBLIC",
"$env:USERPROFILE",
"C:\ProgramData"
)
Write-Host "[+] Scanning for Reparse Points (Junctions/Mount Points) in sensitive directories..." -ForegroundColor Cyan
foreach ($path in $pathsToScan) {
if (Test-Path $path) {
try {
Get-ChildItem -Path $path -Recurse -Force -ErrorAction SilentlyContinue |
Where-Object { $_.Attributes -match 'ReparsePoint' } |
Select-Object FullName, Target, LinkType, LastWriteTime |
Format-Table -AutoSize
}
catch {
Write-Host "[-] Error scanning $path : $_" -ForegroundColor Red
}
}
}
}
# Execute Audit
Get-SuspiciousReparsePoints
Remediation
- Audit Filesystem Structures: Immediately run the PowerShell script above on critical assets to identify existing bind links or junctions in user-writable directories.
- Investigate Findings: Any reparse points in
%AppData%,%Temp%, or%Public%that point to root directories (e.g.,C:\,\Device\HarddiskVolume...) or non-standard locations should be treated as suspicious and investigated. - Restrict Symlink Creation: Configure Group Policy to restrict the creation of symbolic links to non-administrators.
- Path:
Computer Configuration>Windows Settings>Security Settings>Local Policies>User Rights Assignment - Policy: "Create symbolic links"
- Action: Remove "Everyone" and standard users; grant only to Administrators.
- Path:
- EDR Vendor Coordination: Contact your EDR vendor to confirm kernel-level visibility of bind link structures. Ensure your agents are capable of traversing reparse points during scans rather than skipping them.
- Patch Management: Ensure all Windows updates are applied, specifically those addressing NTFS handling and user-mode vs. kernel-mode path resolution disparities.
Related Resources
Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.