A security researcher has unveiled a groundbreaking tool that enables the temporary disabling of endpoint detection and response (EDR) systems and antivirus software without the need for vulnerable drivers. This development signifies a notable shift in the techniques employed by attackers targeting security solutions.
Advanced Evasion Through Windows Components
The tool, named EDR-Freeze, was created by researcher TwoSevenOneT and takes advantage of the Windows Error Reporting functionality to execute a sophisticated race condition attack that suspends security processes.
In contrast to traditional Bring Your Own Vulnerable Driver (BYOVD) methods, which necessitate the deployment of malicious drivers, EDR-Freeze operates entirely within user-mode, utilizing legitimate Windows components. This innovative approach allows for a more discreet execution of attacks.
At the heart of this technique lies the MiniDumpWriteDump function from Windows’ DbgHelp library, which is designed to create memory snapshots of running processes for debugging. During this process, the function suspends all threads in the target process to ensure a consistent memory capture.
EDR-Freeze cleverly exploits this behavior by initiating the dump process against security software and subsequently suspending the dumping process itself, effectively leaving the target security solution in a state of indefinite suspension.
This method specifically targets the WerFaultSecure.exe process, a component of Windows Error Reporting that operates with Protected Process Light (PPL) privileges at the WinTCB level. By integrating this with the CreateProcessAsPPL tool, attackers can circumvent PPL protection mechanisms that typically safeguard security processes from unauthorized access.
The researcher demonstrated the efficacy of EDR-Freeze by successfully suspending the MsMpEng.exe process of Windows Defender on Windows 11 24H2 for a designated period. The tool is designed to accept two parameters: the process ID of the target security software and the duration of suspension, thereby allowing attackers to temporarily disable monitoring during illicit activities.
This innovative approach addresses significant limitations associated with BYOVD attacks, which often require the deployment of vulnerable drivers that can trigger alerts on monitored systems. EDR-Freeze, by contrast, relies solely on legitimate Windows processes, complicating detection efforts for security teams.
The release of this tool underscores the ongoing cat-and-mouse game between attackers and security vendors. As EDR solutions evolve to better detect BYOVD techniques, threat actors are increasingly developing alternative methods to achieve similar objectives through built-in operating system functionalities.
Security teams are advised to monitor for potential EDR-Freeze usage by scrutinizing the command-line parameters of WerFaultSecure.exe. Indicators of suspicious activity include attempts to target sensitive system processes such as LSASS, antivirus engines, or EDR agents, which may suggest attempts to manipulate security software.
The researcher has made the source code for EDR-Freeze publicly accessible on GitHub, highlighting its intended use for legitimate security research and red team exercises. However, the tool’s capabilities also raise alarms regarding potential misuse by malicious actors aiming to bypass security controls during attacks.
Organizations are encouraged to evaluate their security monitoring capabilities to detect unusual activities related to WerFaultSecure.exe and to consider implementing additional process protection mechanisms beyond standard PPL safeguards to defend against this emerging evasion technique.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
