A recent analysis from researcher Itamar Hällström has revealed the technical workings and forensic trail of “EDR-Freeze,” a proof-of-concept technique that temporarily disables security software.
By abusing legitimate Windows components, this method can place Endpoint Detection and Response (EDR) and antivirus (AV) processes into a temporary, reversible coma, allowing attackers to operate undetected.
The EDR-Freeze technique cleverly misuses the Windows Error Reporting (WER) system to achieve its goal.
Unlike many evasion tools that rely on bringing a vulnerable driver (BYOVD) to gain kernel-level privileges, this method operates entirely from user mode.
The attack is initiated by the EDR-Freeze tool, which launches a legitimate, signed Microsoft executable, WerFaultSecure.exe. This helper process is instructed to generate a minidump of a target security process, such as Windows Defender’s MsMpEng.exe.
A key side effect of the minidump creation process, which leverages DbgHelp's MiniDumpWriteDump function, is that it suspends all threads in the target process.
The EDR-Freeze tool exploits this behavior, initiating the dump but holding it in a suspended state for a configurable period, effectively pausing the EDR without crashing it.
Once the specified time elapses, the operation is cleanly aborted, and the security process resumes normal function, leaving minimal traces in standard logs.
Uncovering The Forensic Artifacts
Despite its stealthy nature, the EDR-Freeze technique leaves behind distinct artifacts in a system’s memory. A forensic investigation of a memory image can uncover the entire chain of events.
Analysis tools can identify the suspended threads within the target EDR process and correlate their creation times with the activity of the WerFaultSecure.exe helper process. Investigators can also examine process handles, which act as permissions.
The WerFaultSecure.exe process will hold a handle to the EDR process with specific access rights, including PROCESS_SUSPEND_RESUME, which is a strong indicator of its purpose.
Command-line arguments also provide crucial evidence, showing the EDR-Freeze tool passing the target process ID (PID) to WerFaultSecure.exe.
Furthermore, the technique creates transient files, such as t.txt, during its operation. Although these files are deleted upon completion, their presence in a memory dump serves as a valuable forensic lead, Itamar Hällström said.
Detection Strategies
Defenders can proactively hunt for this activity using custom detection rules. YARA rules have been developed to identify both the EDR-Freeze binary itself and its behavioral patterns in memory.
A binary-focused rule can look for a combination of strings related to the WerFaultSecure.exe command-line flags and API imports for process manipulation, such as CreateFileW and CreateEventW.
A second, behavior-focused rule can scan system memory for a cluster of suspicious indicators, such as privilege escalation APIs and process suspension functions being used together.
This investigation highlights a critical evolution in attacker tradecraft: instead of killing security tools, they can simply pause them. This demonstrates that even Protected Process Light (PPL) processes can be manipulated, turning trusted system components into weapons.
Detecting these attacks requires defenders to move beyond endpoint alerts and incorporate memory forensics into their incident response workflows.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
