New EDR-Freeze tool uses Windows WER to suspend security software
Threat Overview
A newly released proof-of-concept tool called EDR-Freeze demonstrates how attackers can abuse Windows Error Reporting (WER) to suspend security processes, including antivirus (AV) and endpoint detection and response (EDR) solutions, without requiring kernel-level exploits.
Unlike previous techniques such as Bring Your Own Vulnerable Driver (BYOVD), this method operates entirely from user mode using legitimate Windows components, making detection and prevention more challenging.
Technical Details
Affected Components:Windows Error Reporting (WerFaultSecure) and MiniDumpWriteDump API.Attack Method:
- Spawn WerFaultSecure with Protected Process Light (PPL) privileges.
- Instruct WerFaultSecure to trigger MiniDumpWriteDump on a target security process.
- MiniDumpWriteDump suspends the process while generating a memory dump.
- Attacker suspends WerFaultSecure itself, preventing the process from resuming—leaving the security tool in a “frozen” coma state indefinitely.
Impact:
Successful exploitation disables AV/EDR functionality, leaving endpoints exposed to further compromise.
Tested Environment:
Windows 11 24H2; Microsoft Defender confirmed affected.
Threat Assessment
This attack is classified as a design weakness, not a traditional software vulnerability. Since it abuses trusted Windows processes, conventional defenses may fail to detect or block it. The risk is significant for enterprises relying solely on EDR/AV tools for endpoint protection.
Mitigation and Recommendations
1. Monitoring & Detection- Monitor WER activity targeting sensitive processes (e.g., LSASS, security agents).
- Audit system logs for unusual WerFaultSecure executions.
- Leverage available tools (e.g., Steven Lim’s WER mapping utility) to track suspicious process associations.
- Limit or restrict WER invocation on high-value systems where feasible.
- Apply application whitelisting policies to prevent unauthorized API usage.
- Await Microsoft’s official security guidance or patches. Potential mitigations may include blocking suspicious invocation of WerFaultSecure, restricting MiniDumpWriteDump calls, or enforcing tighter parameter controls.
Conclusion
The EDR-Freeze technique highlights how adversaries can turn legitimate system tools against defenders. Until Microsoft implements stronger safeguards, organizations should proactively monitor WER activity, deploy compensating controls, and ensure layered defenses beyond AV/EDR solutions.
03 Comments
Rosalina Kelian
19th May 2018 ReplyLorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna. Ut enim ad minim veniam, quis nostrud laboris nisi ut aliquip ex ea commodo consequat.
Arista Williamson
21th Feb 2020 ReplyLorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco nisi ut aliquip ex ea commodo consequat.
Salman Ahmed
29th Jan 2021 ReplyLorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam..