A current evaluation from researcher Itamar Hällström has revealed the technical workings and forensic path of “EDR-Freeze,” a proof-of-concept method that briefly disables safety software program.
By abusing reputable Home windows parts, this methodology can place Endpoint Detection and Response (EDR) and antivirus (AV) processes into a short lived, reversible coma, permitting attackers to function undetected.
The EDR-Freeze method cleverly misuses the Home windows Error Reporting (WER) system to attain its aim.
Not like many evasion instruments that depend on bringing a susceptible driver (BYOVD) to realize kernel-level privileges, this methodology operates fully from person mode.
The assault is initiated by the EDR-Freeze device, which launches a reputable, signed Microsoft executable, WerFaultSecure.exe. This helper course of is instructed to generate a minidump of a goal safety course of, similar to Home windows Defender’s MsMpEng.exe.
EDR Freeze Device Targets Safety Course of
A key aspect impact of the minidump creation course of, which leverages DbgHelp’s MiniDumpWriteDump operate, is that it suspends all threads within the goal course of.
The EDR-Freeze device exploits this habits, initiating the dump however holding it in a suspended state for a configurable interval, successfully pausing the EDR with out crashing it.
As soon as the required time elapses, the operation is cleanly aborted, and the safety course of resumes regular operate, leaving minimal traces in customary logs.
Uncovering The Forensic Artifacts
Regardless of its stealthy nature, the EDR-Freeze method leaves behind distinct artifacts in a system’s reminiscence. A forensic investigation of a reminiscence picture can uncover all the chain of occasions.
Evaluation instruments can determine the suspended threads inside the goal EDR course of and correlate their creation occasions with the exercise of the WerFaultSecure.exe helper course of. Investigators may study course of handles, which act as permissions.
Forensic Artifacts
The WerFaultSecure.exe course of will maintain a deal with to the EDR course of with particular entry rights, together with PROCESS_SUSPEND_RESUME, which is a powerful indicator of its objective.
Command-line arguments additionally present essential proof, exhibiting the EDR-Freeze device passing the goal course of ID (PID) to WerFaultSecure.exe.
Moreover, the method creates transient recordsdata, similar to t.txt, throughout its operation. Though these recordsdata are deleted upon completion, their presence in a reminiscence dump serves as a precious forensic lead, Itamar Hällström mentioned.
Detection Methods
Defenders can proactively hunt for this exercise utilizing customized detection guidelines. YARA guidelines have been developed to determine each the EDR-Freeze binary itself and its behavioral patterns in reminiscence.
A binary-focused rule can search for a mix of strings associated to the WerFaultSecure.exe command-line flags and API imports for course of manipulation, similar to CreateFileW and CreateEventW.
A second, behavior-focused rule can scan system reminiscence for a cluster of suspicious indicators, similar to privilege escalation APIs and course of suspension capabilities getting used collectively.
This investigation highlights a vital evolution in attacker tradecraft: as an alternative of killing safety instruments, they’ll merely pause them. This demonstrates that even Protected Course of Gentle (PPL) processes will be manipulated, turning trusted system parts into weapons.
Detecting these assaults requires defenders to maneuver past endpoint alerts and incorporate reminiscence forensics into their incident response workflows.
Observe us on Google Information, LinkedIn, and X for day by day cybersecurity updates. Contact us to characteristic your tales.
