
"Endpoint security tools protect users against compromises. However, EDR-Freeze disables them via error messages within Windows without exploiting any vulnerabilities. The approach revolves around WerFaultSecure, a Windows Error Reporting component with Protected Process Light (PPL) privileges. This service collects crash dumps from sensitive system processes so that they can be debugged. EDR-Freeze exploits the MiniDumpWriteDump API from the DbgHelp library. A security researcher with the screen name TwoSevenOneThree Zero Salarium discovered the danger and explains the potential exploits. The end result can lead to EDR tooling going "into a coma.""
"When taking a memory snapshot of a process, all threads of the target process are temporarily suspended. Normally, these threads resume as soon as the dump is complete. EDR-Freeze uses a race condition: while WerFaultSecure is busy suspending the EDR process, WerFaultSecure itself is suspended before it can resume the threads. Smarter approach than BYOVD Traditional methods of bypassing EDR tools rely on Bring Your Own Vulnerable Driver (BYOVD) techniques."
"EDR-Freeze works differently. TwoSevenOneThree Zero Salarium developed a method that operates entirely from user mode. The technique uses Windows components that are standard in the operating system, eliminating the need for external drivers. Windows cannot detect this as malicious behavior because the processes in question could normally run one after the other. Defense possible but limited According to the researcher, defense can be achieved by monitoring whether WER refers to identifiers of sensitive processes such as LSASS or security tools."
EDR-Freeze disables endpoint security by abusing Windows Error Reporting (WerFaultSecure) Protected Process Light privileges to collect crash dumps and exploit MiniDumpWriteDump to suspend EDR processes. When taking a memory snapshot, all threads of the target are suspended; EDR-Freeze exploits a race where WerFaultSecure is suspended before it can resume threads, leaving EDR tools hung. The method runs entirely in user mode and uses standard Windows components, avoiding installation of vulnerable kernel drivers. Traditional BYOVD techniques require drivers and leave riskier traces. Limited defenses include monitoring WER requests for sensitive process identifiers like LSASS or security tool names.
Read at Techzine Global
Unable to calculate read time
Collection
[
|
...
]