■■■■□ The EDR-Freeze tool is a proof-of-concept exploit that leverages Windows’ built-in components to suspend EDR and antivirus processes into a “coma” state, effectively rendering them inactive without installing any third-party drivers.
Mechanism:
1. MiniDumpWriteDump API: This function, part of the Windows DbgHelp library, is designed to create memory dumps by suspending all threads of a target process.
2. Bypassing PPL Protection: EDR and antivirus processes are typically protected by Protected Process Light (PPL). The tool utilizes WerFaultSecure.exe, a component of the Windows Error Reporting service, which can run with WinTCB level protection, allowing it to interact with these protected processes.
3. Race Condition Attack: After initiating WerFaultSecure.exe to create a memory dump, the tool monitors the target process. Upon detecting that the target process has entered a suspended state, the tool immediately suspends WerFaultSecure.exe. This prevents the completion of the memory dump, leaving the target process in a suspended state indefinitely.
Usage:
Parameters: The tool requires two parameters: the Process ID (PID) of the target process and the duration of the suspension in milliseconds.
Example: On Windows 11 24H2, the tool successfully suspended the MsMpEng.exe process of Windows Defender.
Detection and Mitigation:
Monitoring: Defenders should monitor for unusual executions of WerFaultSecure.exe, especially when targeting sensitive processes like lsass.exe or EDR agents.
Preventive Measures: Implementing tamper protection, maintaining stringent role hygiene in Windows security settings, and ensuring systems are up to date can help mitigate the risk of such attacks.
This technique offers a stealthier alternative to traditional methods like Bring Your Own Vulnerable Driver (BYOVD) attacks, as it does not require introducing vulnerable drivers onto a target system.