Skip to content

new: bindfltapi.dll execution by suspicious process #5744

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

new: bindfltapi.dll execution by suspicious process #5744

wants to merge 4 commits into from

Conversation

@vl43den
Copy link
Contributor

@vl43den vl43den commented Nov 6, 2025

Summary of the Pull Request

Adds Windows Security (Event ID 4663) detections for FILE_EXECUTE access to the BindFlt API DLL, which is, as stated in the ZeroSalarium's reference, possible by usermode. These rules are intended for defensive validation of BindFlt API usage as described in ZeroSalarium’s research ("EDR-Redir V2 – Blind EDR With Fake Program Files"), and help surface processes that load the BindFlt API to create redirecting bind links - with the goal of evading EDR solutions (Defender, Elastic Defend, Sophos Intercept X, ESET Premium, CrowdStrike Falcon). Rules include common field aliases and exec mask for portability. This was tested on a Windows Server 2022 Standard VM Version 10.0.20348 Build 20348 by using the following source and the x64 exe built from it:
"https://github.com/TwoSevenOneT/EDR-Redir"

As this rule detects execute access to bindfltapi.dll by suspicious processes, it requires File System auditing and SACL to catch these hits.

Changelog

new: win_security_susp_bindfltapi_execute.yml

Example Log Event

True Positive Example, Matches the rule (ObjectType: File, path endswith \bindfltapi.dll, AccessMask 0x20 / %%4421 Execute, non-system process):

EventID: 4663
ObjectServer: Security
ObjectType: File
ObjectName: C:\Windows\System32\bindfltapi.dll
HandleId: 0xAC
AccessMask: 0x20
AccessList: %%4421
ProcessId: 0x984
ProcessName: C:\EDR-Redir\x64\Debug\EDR-Redir.exe
SubjectUserName: Administrator
SubjectUserSid: S-1-5-21-4024965044-827233860-1202526542-500
SubjectDomainName: WIN-41I2QDGCQ0B
SubjectLogonId: 0x16bba6
ResourceAttributes: S:AI

False Positive Example (Only ReadAttributes, not Execute. Process is Defender (MsMpEng.exe)):

EventID: 4663
ObjectServer: Security
ObjectType: File
ObjectName: C:\Windows\System32\bindfltapi.dll
HandleId: 0xF84
AccessMask: 0x80
AccessList: %%4423
ProcessId: 0xA58
ProcessName: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2210.6-0\MsMpEng.exe
SubjectUserSid: S-1-5-18
SubjectUserName: WIN-41I2QDGCQ0B$
SubjectDomainName: WORKGROUP
SubjectLogonId: 0x3e7
ResourceAttributes: S:AI

Fixed Issues

SigmaHQ Rule Creation Conventions

  • If your PR adds new rules, please consider following and applying these conventions

@vl43den
Add detection rule for bindfltapi.dll execution
11f3b6e 
This rule detects execute access to bindfltapi.dll by suspicious processes, requiring File System auditing and SACL.
@github-actions github-actions bot added Rules Windows Pull request add/update windows related rules labels Nov 6, 2025
@vl43den vl43den changed the title new: bindapi.dll execution by suspicious process new: bindfltapi.dll execution by suspicious process Nov 6, 2025
@vl43den
Update reference link in win_security_susp_bindfltapi_execute.yml
daa4acb 
fixed some spacing
@vl43den
Refactor detection rules for bindfltapi execution
ba9b866 
fixed some more spacing
@vl43den
Refactor win_security_susp_bindfltapi_execute rule
3ea9720 
updated the title, status, and description fields. adjusted detection criteria and filtering conditions syntactically & fixed some more spacing
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

Rules Windows Pull request add/update windows related rules

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@vl43den