Microsoft Unveils RedirectionGuard: A New Windows 11 Defense Against Privilege Escalation Attacks • Daily CyberSecurity

As attackers continue to evolve their tactics, Microsoft is taking bold strides to neutralize entire classes of vulnerabilities — not just patching individual CVEs. In its recently blog post, the tech giant has unveiled RedirectionGuard, a new Windows 11 mitigation feature designed to shut down a widespread vector for privilege escalation: filesystem redirection attacks.

Redirection attacks exploit the way privileged Windows services interact with files. Attackers use junctions (a kind of file system link) to reroute file operations from benign locations to critical system paths like C:\Windows\System32. For example:

“A service may use a temporary folder… but what if an unprivileged user replaces the folder with a junction that points to C:\Windows\System32? Now when the service cleans up, it follows the junction and deletes system files.”

That’s a nightmare scenario, potentially resulting in corruption or full system compromise.

Microsoft has previously tackled similar redirection techniques using restrictions on hard links and symbolic links, but junctions have remained a persistent blind spot.

“Junctions remain the biggest existing gap… they can be created by standard users and target any folder on the system,” the company sates.

The company explained that 32 out of 42 path redirection CVEs disclosed in 2024 were related specifically to attacker-created junctions — highlighting the need for a focused defense.

To close this security gap, Microsoft developed RedirectionGuard, which blocks unsafe junction traversals when two key conditions are met:

The junction was created by a non-admin user.
The junction is being accessed by a process that has opted into RedirectionGuard.

“When RedirectionGuard is enabled by a process, the process will only follow ‘trusted’ junctions — those created by an administrator or created before the mitigation was available,” the company explains.

This simple but powerful logic makes junction redirection by attackers fail silently, rendering many common local privilege escalation (LPE) techniques useless.

RedirectionGuard is opt-in, minimizing risk of disruption. It is already active in critical Windows services like User Profile Service, AppX Deployment Service, and Installer Service in Windows Insider builds.

Developers can enable RedirectionGuard in their programs using the SetProcessMitigationPolicy API. Microsoft even provides a sample implementation in C:

ULONG
SetProcessMitigationMode(
    _In_ MODE_OPTION Option
    )
{
    ULONG Error = ERROR_SUCCESS;
    PROCESS_MITIGATION_REDIRECTION_TRUST_POLICY ReparsePointPolicy = {0};

    if (Option == MODE_OPTION::Enforce) {
        ReparsePointPolicy.EnforceRedirectionTrust = 1;
    } else if (Option == MODE_OPTION::Audit) {
        ReparsePointPolicy.AuditRedirectionTrust = 1;
    }

    if (!SetProcessMitigationPolicy(
            ProcessRedirectionTrustPolicy,
            &ReparsePointPolicy,
            sizeof(PROCESS_MITIGATION_REDIRECTION_TRUST_POLICY))) {
        Error = GetLastError();
        LogError(Error, "Failed to set image mitigation policy options");
    }

    return Error;
}

For audit-only mode, developers can toggle AuditRedirectionTrust instead.

Security professionals can verify mitigation status using James Forshaw’s NtObjectManager PowerShell module. For example:

Get-NtProcessMitigations -ProcessId 1496

This reveals which mitigations are active for any running process — essential for testing and verification.

Rate this post

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Related Posts:

Support Our Threat Intelligence

Related posts:

Leave a Reply Cancel reply