A recent development in cybersecurity has emerged from a Zero Salarium specialist, who has unveiled a method that effectively temporarily disables antivirus processes and EDR agents on Windows systems. This innovative approach leverages built-in system tools, presenting a solution known as EDR-Freeze. The technique is designed to specifically terminate monitoring processes without the need for additional vulnerable drivers, relying on the inherent behavior of native operating system components and exploiting race conditions between processes.
Understanding the Mechanism
The core of this method involves the use of MiniDumpWriteDump, which forcibly suspends all threads of the target process while capturing a snapshot. The process that triggers the dump is responsible for resuming the suspended process. In this case, the research illustrates how to manipulate WerFaultSecure to operate with protected process privileges (PPL) at the WinTCB level, allowing it to initiate a dump of the desired PID. At a critical juncture, WerFaultSecure suspends itself, leaving the target process in a “comatose state” since the initiator, which could potentially unlock it, is also blocked.
To demonstrate this technique, the author utilizes CreateProcessAsPPL alongside the WerFaultSecure startup parameters. The process state is checked, and NtSuspendProcess is called on the initiator process at the right moment. Notably, this mechanism operates without the need for third-party driver exploits and functions in user mode, making it particularly convenient for quick testing and enhancing monitoring bypass capabilities.
Practical Applications of EDR-Freeze
The article provides a comprehensive overview of the EDR-Freeze tool, which is available in a GitHub repository along with runtime examples. The utility requires the target program’s PID and the desired pause time in milliseconds, executing the outlined steps to keep the antivirus process suspended. A demonstration highlighted that MsMpEng.exe, the Windows Defender service on Windows 11 24H2, was successfully suspended for a specified duration, with its status monitored via Process Explorer.
The author underscores that this technique offers an alternative to BYOVD approaches, eliminating the necessity of transferring vulnerable drivers to the testing environment. Furthermore, the specialist advises vigilance regarding WerFaultSecure for any anomalous boot parameters. If its arguments indicate the PIDs of sensitive services such as LSASS, antivirus processes, or EDR agents, it warrants further investigation. Additionally, robust protection mechanisms should be implemented to verify the boot chains of protected processes and to detect any unusual sequences during dump creation.
The editorial team of Red Hot Cyber comprises a dedicated group of individuals and anonymous sources, committed to delivering timely information and insights on cybersecurity and computing trends.
