In the ever-evolving landscape of cybersecurity, adversaries continually develop sophisticated methods to circumvent protective measures. A recent analysis by researcher Itamar Hällström has shed light on EDR-Freeze, a proof-of-concept technique that temporarily disables security software, allowing malicious activities to proceed undetected. This method exploits legitimate Windows components to pause Endpoint Detection and Response (EDR) and antivirus (AV) processes without crashing them, leaving minimal forensic traces.
Mechanism of EDR-Freeze
Unlike traditional evasion tools that rely on introducing vulnerable drivers to gain kernel-level privileges—a method known as Bring Your Own Vulnerable Driver (BYOVD)—EDR-Freeze operates entirely within user mode. This approach enhances its stealth and reduces the risk of detection.
The technique leverages the Windows Error Reporting (WER) system, a legitimate component designed to collect and report error information. EDR-Freeze initiates its attack by launching `WerFaultSecure.exe`, a signed Microsoft executable associated with WER. This helper process is directed to generate a minidump of a target security process, such as Windows Defender’s `MsMpEng.exe`.
A critical aspect of the minidump creation process, which utilizes the `MiniDumpWriteDump` function from `DbgHelp.dll`, is that it suspends all threads within the target process during the dump. EDR-Freeze exploits this behavior by initiating the dump and then holding it in a suspended state for a configurable period. This effectively pauses the EDR or AV process without terminating it. After the specified duration, the operation is cleanly aborted, allowing the security process to resume normal function. This method leaves minimal traces in standard logs, making detection challenging.
Forensic Artifacts and Detection
Despite its stealthy nature, EDR-Freeze leaves behind specific artifacts in a system’s memory that can be identified through forensic analysis. Investigators can uncover the entire chain of events by examining a memory image.
Key indicators include suspended threads within the target EDR process, which can be correlated with the activity of the `WerFaultSecure.exe` helper process. Analyzing process handles reveals that `WerFaultSecure.exe` holds a handle to the EDR process with specific access rights, such as `PROCESS_SUSPEND_RESUME`, indicating its purpose. Command-line arguments provide further evidence, showing the EDR-Freeze tool passing the target process ID (PID) to `WerFaultSecure.exe`.
Additionally, transient files like `t.txt` are created during the operation. Although these files are deleted upon completion, their presence in a memory dump serves as a valuable forensic lead.
Detection Strategies
To proactively detect and mitigate the use of EDR-Freeze, defenders can implement custom detection rules. YARA rules have been developed to identify both the EDR-Freeze binary and its behavioral patterns in memory.
A binary-focused rule can search for a combination of strings related to the `WerFaultSecure.exe` command-line flags and API imports for process manipulation, such as `CreateFileW` and `CreateEventW`. A behavior-focused rule can scan system memory for a cluster of suspicious indicators, including the use of privilege escalation APIs and process suspension functions in conjunction.
Implications for Cybersecurity
The emergence of EDR-Freeze highlights a significant evolution in attacker tactics. Instead of terminating security tools, adversaries can now pause them, demonstrating that even Protected Process Light (PPL) processes can be manipulated. This underscores the need for defenders to move beyond traditional endpoint alerts and incorporate memory forensics into their incident response workflows.
By understanding the technical workings and forensic artifacts associated with EDR-Freeze, cybersecurity professionals can enhance their detection capabilities and develop more robust defense strategies against such sophisticated evasion techniques.
