A new proof-of-concept tool named EDR-Freeze has been developed, capable of placing Endpoint Detection and Response (EDR)<\/a> and antivirus solutions into a suspended \u201ccoma\u201d state.<\/p>\n According to Zero Salarium, the technique leverages a built-in Windows function, offering a stealthier alternative to the increasingly popular Bring Your Own Vulnerable Driver (BYOVD)<\/a> attacks used by threat actors to disable security software.<\/p>\n Unlike BYOVD methods, which require introducing a vulnerable driver onto a target system, EDR-Freeze exploits legitimate components of the Windows operating system.<\/p>\n This approach avoids the need to install third-party drivers, reducing the risk of system instability and detection. The entire process is executed from user-mode code, making it a subtle and effective way to temporarily neutralize security monitoring.<\/p>\n The core of the EDR-Freeze technique lies in the manipulation of the To ensure a consistent and uncorrupted snapshot, the function suspends all threads within the target process while the dump is created.<\/p>\n Ordinarily, this suspension is brief. However, the developer of EDR-Freeze devised a method to prolong this suspended state indefinitely.<\/p>\n The primary challenges were twofold: extending the very short execution time of the To overcome PPL protection, the technique utilizes By crafting the correct parameters, The final piece of the puzzle is a race-condition attack that turns a momentary suspension into a prolonged freeze. The attack unfolds in a rapid, precise sequence:<\/p>\n Because The result is that the security software is left in a permanent state of suspension, effectively blinded, until the The developer has released the EDR-Freeze tool to demonstrate this technique. It takes two simple parameters: the Process ID (PID) of the target to be frozen and the duration of the suspension in milliseconds.<\/p>\n This allows an attacker to disable security tools<\/a>, perform malicious actions, and then allow the security software to resume normal operations as if nothing had happened.<\/p>\n A test on Windows 11 24H2 successfully suspended the For defenders, detecting this technique involves monitoring for unusual executions of If the program is observed targeting the PIDs of sensitive processes like Find this Story Interesting! Follow us on Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>.<\/p>\n The post New EDR-Freeze Tool That Puts EDRs and Antivirus Into A Coma State<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nThe MiniDumpWriteDump Exploit<\/strong><\/h2>\n
MiniDumpWriteDump<\/code> function. This function, part of the Windows DbgHelp<\/code> library, is designed to create a minidump, a snapshot of a process\u2019s memory for debugging purposes.<\/p>\n![\"EDR-Freeze](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjNZY2SS28D7gjcCEqqxwNqIU7sQsnticwCqVWhqIMpYxdNT7-Rr878zxluHU5E3EmW5KYrwds0bzUd6tCzX5w3sfjwDCHK06HzZoEF8gb8J31oUft5qPGtOFZ-iLi1y-HKIomH_OrQzi9OuHIjLy26vf_l9gZ83BqPAELR2ScCsVygHL277O35GE11l6gO\/s16000\/EDR-Freeze%2520running%2520parameters.webp?ssl=1\")
MiniDumpWriteDump<\/code> function and bypassing the Protected Process Light (PPL) security feature that shields EDR and antivirus<\/a> processes from tampering.<\/p>\nWerFaultSecure.exe<\/code>, a component of the Windows Error Reporting (WER) service. WerFaultSecure.exe<\/code> can run with WinTCB<\/code> level protection, one of the highest privilege levels, allowing it to interact with protected processes.<\/p>\nWerFaultSecure.exe<\/code> can be instructed to initiate the MiniDumpWriteDump<\/code> function on any target process, including protected EDR and antivirus agents.<\/p>\n\n
WerFaultSecure.exe<\/code> is launched with parameters directing it to create a memory dump of the target EDR or antivirus process.<\/li>\nMiniDumpWriteDump<\/code> begins its work), the EDR-Freeze tool immediately suspends the WerFaultSecure.exe<\/code> process itself.<\/li>\n<\/ol>\nWerFaultSecure.exe<\/code> is now suspended, it can never complete the memory dump operation and, crucially, can never resume the threads of the target EDR process.<\/p>\nWerFaultSecure.exe<\/code> process is terminated, Zero Salarium said<\/a>.<\/p>\nEDR-Freeze Tool Killing Process<\/strong><\/h2>\n
MsMpEng.exe<\/code> process of Windows Defender.<\/p>\n![\"EDR-Freeze](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhxYfbeuBoP2xbYTedVbdO0ATBFs3tOZEZFFX4xiWZGX_yLwKUz9YNIq4xnRGpCushbWH_hogpt6htJipOXQ8vH6-mBNWUK9u_Tfp2KXQRwfh_D5k2nDAETGCzZfHOcfzI5LleVz3x52FRf13wTkQUfmeA6qpTCavb7E1wAvPOF3WUtBMqVpmoK70orzzvx\/s16000\/EDR-Freeze%2520can%2520suspend%2520MsMpEng%2520antimalware.webp?ssl=1\")
WerFaultSecure.exe<\/code>.<\/p>\nlsass.exe<\/code> or EDR agents, it should be treated as a high-priority security alert requiring immediate investigation.<\/p>\n