news 2025.11.14

EDR-Freeze: new PoC that can put EDR/AV into a “coma”

Share:

A new proof-of-concept called EDR-Freeze abuses native Windows debugging functionality to suspend Endpoint Detection & Response (EDR) and antivirus (AV) processes indefinitely. Unlike BYOVD techniques, it does not require a vulnerable third-party driver; the attack runs from user-mode by invoking WerFaultSecure.exe to call MiniDumpWriteDump and then exploiting a race condition to freeze the dumper — leaving the target EDR/AV process suspended (e.g., MsMpEng.exe on Win11 24H2).

 

Impact & technical notes
• Impact: Temporary, stealthy neutralization of endpoint protections enables attackers to perform lateral movement, credential theft, persistence and data exfiltration while monitoring and alerts are impaired.
• Why it’s notable: Uses legitimate Windows components (DbgHelp + WER) and a race condition, making detection harder and avoiding driver installs that raise alarms.
• Detection hints: abnormal executions of WerFaultSecure.exe with dump parameters; protected processes suspended for unusually long durations; sudden gaps in telemetry from EDR agents.

 

What you should do now (practical actions — prioritized)
1. Monitor & alert (Immediate): Add rules to detect WerFaultSecure.exe process creations with suspicious command lines and long suspensions of known EDR/AV processes (e.g., MsMpEng.exe, EDR agent PIDs, lsass.exe).
2. Vendor & patch (High): Contact your EDR/AV vendor for guidance and apply any vendor mitigations or updates. Ensure tamper-protection is enabled.
3. Hunt & IR playbook (High): Hunt for historical WerFaultSecure.exe/dump activity and add this scenario to IR runbooks — isolate hosts where EDR is unexpectedly suspended.
4. Restrict & harden (Mid): Consider application control (AppLocker/WDAC) and least privilege to limit who/what can invoke WER components; review service account rights that could launch WerFaultSecure.exe.
5. Behavioral detection (Mid): Enhance telemetry to flag sequences: dumper spawn → target suspend → dumper suspend → attacker operations.

 

Bottom line: EDR-Freeze underscores that adversaries increasingly weaponize legitimate OS features. Defence requires layered detection (process/behavior + telemetry), vendor coordination, and readiness to respond when endpoint protections appear to “go quiet.”