Hackers Deploy New EDR-Freeze Tool to Disable Security Software

A security researcher has released a new tool that can temporarily disable endpoint detection and response (EDR) systems and antivirus software without requiring vulnerable drivers, marking a significant evolution in attack techniques targeting security solutions.

Advanced Evasion Through Windows Components

The tool, dubbed EDR-Freeze and developed by researcher TwoSevenOneT, exploits Windows Error Reporting functionality to suspend security processes through a sophisticated race condition attack.

Unlike traditional Bring Your Own Vulnerable Driver (BYOVD) techniques that require attackers to deploy malicious drivers, EDR-Freeze operates entirely in user-mode using legitimate Windows components.

The attack leverages the MiniDumpWriteDump function from Windows’ DbgHelp library, which creates memory snapshots of running processes for debugging purposes.

During this operation, the function suspends all threads in the target process to ensure consistent memory capture.

EDR-Freeze exploits this behavior by triggering the dump process against security software and then suspending the dumping process itself, leaving the target security solution indefinitely frozen.

The technique specifically targets the WerFaultSecure.exe process, a Windows Error Reporting component that can run with Protected Process Light (PPL) privileges at the WinTCB level.

By combining this with the CreateProcessAsPPL tool, attackers can bypass PPL protection mechanisms that typically shield security processes from unauthorized access.

The researcher demonstrated EDR-Freeze successfully suspending Windows Defender’s MsMpEng.exe process on Windows 11 24H2 for a specified duration.

The tool accepts two parameters: the process ID of the target security software and the suspension duration, allowing attackers to temporarily disable monitoring during malicious activities.

This approach addresses key limitations of BYOVD attacks, which require deploying vulnerable drivers that can trigger alerts on monitored systems. EDR-Freeze uses only legitimate Windows processes, making detection more challenging for security teams.

The tool’s release highlights ongoing cat-and-mouse dynamics between attackers and security vendors.

As EDR solutions become more sophisticated in detecting BYOVD techniques, threat actors are developing alternative methods to achieve similar objectives using built-in operating system functionality.

Security teams can monitor for potential EDR-Freeze usage by examining WerFaultSecure.exe command-line parameters.

Suspicious activity includes the process targeting sensitive system processes like LSASS, antivirus engines, or EDR agents, which may indicate attempted security software manipulation.

The researcher has made EDR-Freeze’s source code publicly available on GitHub, emphasizing its use for legitimate security research and red team exercises.

However, the tool’s capabilities raise concerns about potential misuse by malicious actors seeking to evade security controls during attacks.

Organizations should review their security monitoring capabilities to detect unusual WerFaultSecure.exe activity and consider implementing additional process protection mechanisms beyond standard PPL safeguards to defend against this emerging evasion technique.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.