A new proof-of-concept tool named EDR-Freeze has been developed, capable of placing Endpoint Detection and Response (EDR) and antivirus solutions into a suspended “coma” state.
According to Zero Salarium, the technique leverages a built-in Windows function, offering a stealthier alternative to the increasingly popular Bring Your Own Vulnerable Driver (BYOVD) attacks used by threat actors to disable security software.
Unlike BYOVD methods, which require introducing a vulnerable driver onto a target system, EDR-Freeze exploits legitimate components of the Windows operating system.
This approach avoids the need to install third-party drivers, reducing the risk of system instability and detection. The entire process is executed from user-mode code, making it a subtle and effective way to temporarily neutralize security monitoring.
The MiniDumpWriteDump Exploit
The core of the EDR-Freeze technique lies in the manipulation of the MiniDumpWriteDump function. This function, part of the Windows DbgHelp library, is designed to create a minidump, a snapshot of a process’s memory for debugging purposes.
To ensure a consistent and uncorrupted snapshot, the function suspends all threads within the target process while the dump is created.
Ordinarily, this suspension is brief. However, the developer of EDR-Freeze devised a method to prolong this suspended state indefinitely.
The primary challenges were twofold: extending the very short execution time of the MiniDumpWriteDump function and bypassing the Protected Process Light (PPL) security feature that shields EDR and antivirus processes from tampering.
To overcome PPL protection, the technique utilizes WerFaultSecure.exe, a component of the Windows Error Reporting (WER) service. WerFaultSecure.exe can run with WinTCB level protection, one of the highest privilege levels, allowing it to interact with protected processes.
By crafting the correct parameters, WerFaultSecure.exe can be instructed to initiate the MiniDumpWriteDump function on any target process, including protected EDR and antivirus agents.
The final piece of the puzzle is a race-condition attack that turns a momentary suspension into a prolonged freeze. The attack unfolds in a rapid, precise sequence:
WerFaultSecure.exeis launched with parameters directing it to create a memory dump of the target EDR or antivirus process.- The EDR-Freeze tool continuously monitors the target process.
- The moment the target process enters a suspended state (as
MiniDumpWriteDumpbegins its work), the EDR-Freeze tool immediately suspends theWerFaultSecure.exeprocess itself.
Because WerFaultSecure.exe is now suspended, it can never complete the memory dump operation and, crucially, can never resume the threads of the target EDR process.
The result is that the security software is left in a permanent state of suspension, effectively blinded, until the WerFaultSecure.exe process is terminated, Zero Salarium said.
The developer has released the EDR-Freeze tool to demonstrate this technique. It takes two simple parameters: the Process ID (PID) of the target to be frozen and the duration of the suspension in milliseconds.
This allows an attacker to disable security tools, perform malicious actions, and then allow the security software to resume normal operations as if nothing had happened.
A test on Windows 11 24H2 successfully suspended the MsMpEng.exe process of Windows Defender.
For defenders, detecting this technique involves monitoring for unusual executions of WerFaultSecure.exe.
If the program is observed targeting the PIDs of sensitive processes like lsass.exe or EDR agents, it should be treated as a high-priority security alert requiring immediate investigation.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Source link
