Novel attack technique freezes endpoint security via Windows function

Novel attack technique freezes endpoint security via Windows function

Briefly

"Endpoint security tools protect users against compromises. However, EDR-Freeze disables them via error messages within Windows without exploiting any vulnerabilities. The approach revolves around WerFaultSecure, a Windows Error Reporting component with Protected Process Light (PPL) privileges. This service collects crash dumps from sensitive system processes so that they can be debugged. EDR-Freeze exploits the MiniDumpWriteDump API from the DbgHelp library. A security researcher with the screen name TwoSevenOneThree Zero Salarium discovered the danger and explains the potential exploits. The end result can lead to EDR tooling going "into a coma.""

"When taking a memory snapshot of a process, all threads of the target process are temporarily suspended. Normally, these threads resume as soon as the dump is complete. EDR-Freeze uses a race condition: while WerFaultSecure is busy suspending the EDR process, WerFaultSecure itself is suspended before it can resume the threads. Smarter approach than BYOVD Traditional methods of bypassing EDR tools rely on Bring Your Own Vulnerable Driver (BYOVD) techniques."

"EDR-Freeze works differently. TwoSevenOneThree Zero Salarium developed a method that operates entirely from user mode. The technique uses Windows components that are standard in the operating system, eliminating the need for external drivers. Windows cannot detect this as malicious behavior because the processes in question could normally run one after the other. Defense possible but limited According to the researcher, defense can be achieved by monitoring whether WER refers to identifiers of sensitive processes such as LSASS or security tools."