EDR-Freeze is a proof-of-concept tool that forces endpoint detection and response (EDR) or antivirus processes into a temporary “coma.”
Instead of installing a vulnerable driver, it leverages legitimate Windows Error Reporting components, specifically WerFaultSecure.exe and the MiniDumpWriteDump API to pause security processes from user mode.
By racing threads at just the right moment, EDR-Freeze suspends all worker threads in the target, halting telemetry while leaving the process alive. After a configurable delay, the process resumes normally, often without raising alarms.
How the Freeze Procedure Works
The attack begins when EDR-Freeze_1.0.exe launches WerFaultSecure.exe under the cover of Windows Error Reporting, as reported by Researcher.
EDR Freeze Tool Targets
WerFaultSecure.exe loads dbghelp.dll and invokes MiniDumpWriteDump. Although normally used to write crash dumps, MiniDumpWriteDump suspends every thread in the target process during dump creation.
By passing handles directly to the target’s threads, the helper process suspends and later resumes the security engine, such as MsMpEng.exe (Windows Defender).
In Process Explorer, both WerFaultSecure.exe and MsMpEng.exe appear as suspended. This use of built-in components makes the technique stealthy and able to bypass many endpoint defenses.
A controlled memory capture reveals clear signs of the freeze. Using MemProcFS, three MsMpEng.exe threads (TIDs 764, 4244, and 7980) show suspended timestamps between 08:35:08 and 08:35:31, followed by WerFaultSecure.exe thread suspension at 08:35:41.
These time-aligned events confirm the helper process drove the pause.
Volatility’s windows.handles plugin further uncovers that WerFaultSecure.exe opened a PROCESS_SUSPEND_RESUME handle on MsMpEng.exe with access mask 0x18C4A, along with THREAD_ALL_ACCESS on multiple threads.
These handles enable precise thread suspension and resume operations.
During execution, both processes briefly open a file handle to t.txt in the user’s Desktop folder. This temporary file is used to pass encoded dump data before being deleted.
Although not inherently malicious, it serves as a valuable forensic lead. Examining the import address table (IAT) of WerFaultSecure.exe shows a static import of MiniDumpWriteDump from dbghelp.dll.
This import is proof that the helper binary can trigger minidumps and thus suspend threads on demand.
Investigators should preserve any remnants of t.txt and its timestamps, as well as IAT entries indicating MiniDumpWriteDump usage.
Static YARA rules targeting WerFaultSecure.exe can flag the presence of key command-line flags such as “/pid”, “/tid”, “/encfile”, and “/cancel”, along with imports for CreateFileW, CreateEventW, and MiniDumpWriteDump.
In tests, these rules identified both the helper and the suspended MsMpEng.exe threads, while yielding no hits on a clean image.
Incorporating these rules into endpoint hunting workflows can uncover EDR-Freeze activity even when telemetry is suppressed.
EDR-Freeze demonstrates that attackers can weaponize trusted OS components to impair security tooling without kernel exploits.
By driving processes into a reversible coma, adversaries gain stealth during critical phases.
Defenders must extend investigations into memory forensics and behavioral hunts to catch such ephemeral pauses, ensuring continued visibility of security controls during incident response.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
