A groundbreaking approach known as EDR-Freeze has emerged, showcasing the potential for evading security solutions directly from user mode through Microsoft’s Windows Error Reporting (WER) system. This innovative technique eliminates the reliance on vulnerable drivers, effectively placing security agents, such as endpoint detection and response (EDR) tools, into a dormant state.
Security researcher TwoSevenOneThree, also known as Zero Salarium, has ingeniously utilized the WER framework in conjunction with the MiniDumpWriteDump API to indefinitely suspend the operations of EDR and antivirus processes. Traditional methods for disabling EDR typically involve the “Bring Your Own Vulnerable Driver” (BYOVD) technique, which requires attackers to exploit a legitimate yet vulnerable kernel driver for privilege escalation. However, this method presents significant challenges, including the necessity to smuggle the driver onto the target system, bypass execution protections, and eliminate kernel-level artifacts that could reveal the operation.
In contrast, EDR-Freeze offers a more discreet approach that operates entirely from user mode, utilizing legitimate Windows components that are inherently part of the operating system.
How EDR-Freeze works
At the core of this method is WerFaultSecure, a Windows Error Reporting component that operates with Protected Process Light (PPL) privileges. Its primary function is to collect crash dumps of sensitive system processes for debugging and diagnostic purposes. The MiniDumpWriteDump API, found within the DbgHelp library, generates a snapshot, or “minidump,” of a process’s memory and state. During this process, it suspends all threads of the target process and resumes them once the operation is complete.
EDR-Freeze takes advantage of WerFaultSecure to initiate MiniDumpWriteDump, which temporarily halts all threads in the target process while the dump is being created. In a clever twist, the attacker suspends the WerFaultSecure process itself, preventing the dumper from resuming the target process, thereby leaving the antivirus process in a suspended state.
The researcher outlines this as a race condition attack, which can be executed in four succinct steps:
- Spawn WerFaultSecure as a PPL.
- Pass arguments to WerFaultSecure to invoke MiniDumpWriteDump on the target PID.
- Monitor the target until it is suspended by the dump operation.
- Immediately access WerFaultSecure (PROCESSSUSPENDRESUME) and execute NtSuspendProcess to freeze the dumper.
Additionally, the researcher has made available a tool that automates these actions, successfully tested on Windows 11 24H2, which effectively froze the Windows Defender process.
Source: Zero Salarium
This novel attack exploits the intended functionality of both MiniDumpWriteDump and WerFaultSecure, highlighting a design weakness rather than a direct vulnerability within Windows. To counteract EDR-Freeze, monitoring the WER for identifiers linked to sensitive processes, such as LSASS or security tools, is essential. In response, security researcher Steven Lim has developed a tool that maps WerFaultSecure to Microsoft Defender Endpoint processes.
Looking ahead, Microsoft has the opportunity to bolster these Windows components against potential misuse by implementing measures such as blocking suspicious invocations, permitting them only for specific PIDs, or restricting allowable parameters. BleepingComputer has reached out to Microsoft for insights on defending against this technique and will provide updates as information becomes available.
