A groundbreaking proof-of-concept tool, EDR-Freeze, has emerged, showcasing the ability to place Endpoint Detection and Response (EDR) and antivirus solutions into a suspended “coma” state. Developed by Zero Salarium, this innovative technique utilizes a built-in Windows function, presenting a more discreet alternative to the increasingly utilized Bring Your Own Vulnerable Driver (BYOVD) attacks that cybercriminals often employ to disable security software.
In contrast to BYOVD methods, which necessitate the introduction of a vulnerable driver onto a target system, EDR-Freeze cleverly exploits legitimate components of the Windows operating system. This strategic approach eliminates the need for third-party driver installations, thereby minimizing the risks associated with system instability and detection. The entire operation is executed from user-mode code, rendering it a subtle yet effective means of temporarily neutralizing security monitoring.
The MiniDumpWriteDump Exploit
At the heart of the EDR-Freeze technique lies the manipulation of the MiniDumpWriteDump function, a component of the Windows DbgHelp library designed for creating minidumps—snapshots of a process’s memory intended for debugging. Typically, this function suspends all threads within the target process while the dump is being generated, a suspension that is usually brief. However, the ingenious developer behind EDR-Freeze has crafted a method to extend this suspended state indefinitely.
The challenges faced in this endeavor were twofold: prolonging the brief execution time of the MiniDumpWriteDump function and circumventing the Protected Process Light (PPL) security feature, which safeguards EDR and antivirus processes from tampering. To navigate around PPL protection, the technique employs WerFaultSecure.exe, a component of the Windows Error Reporting (WER) service. Operating with WinTCB level protection—one of the highest privilege levels—WerFaultSecure.exe can interact with protected processes.
By carefully crafting the appropriate parameters, WerFaultSecure.exe can be directed to initiate the MiniDumpWriteDump function on any target process, including those of protected EDR and antivirus agents. The final element of this sophisticated puzzle involves a race-condition attack that transforms a momentary suspension into a prolonged freeze. This attack unfolds through a precise sequence of actions:
WerFaultSecure.exeis launched with parameters aimed at creating a memory dump of the target EDR or antivirus process.- The EDR-Freeze tool continuously monitors the target process.
- The instant the target process enters a suspended state (as
MiniDumpWriteDumpbegins its operation), the EDR-Freeze tool promptly suspends theWerFaultSecure.exeprocess itself.
With WerFaultSecure.exe now suspended, it cannot complete the memory dump operation nor resume the threads of the target EDR process. Consequently, the security software remains in a permanent state of suspension, effectively rendered blind until the termination of the WerFaultSecure.exe process, as noted by Zero Salarium.
The developer has made the EDR-Freeze tool available to illustrate this technique, requiring only two simple parameters: the Process ID (PID) of the target to be frozen and the duration of the suspension in milliseconds. This functionality enables an attacker to disable security tools, execute malicious actions, and subsequently allow the security software to resume normal operations as if nothing had transpired.
A test conducted on Windows 11 24H2 successfully suspended the MsMpEng.exe process of Windows Defender.
For those tasked with defending against such techniques, vigilance is essential. Detecting this method involves monitoring for unusual executions of WerFaultSecure.exe. If this program is observed targeting the PIDs of sensitive processes like lsass.exe or EDR agents, it should be treated as a high-priority security alert, warranting immediate investigation.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
