A recently unveiled tool, EDR-Freeze, developed by the security researcher TwoSevenOneT, is creating ripples in the cybersecurity community. Its ability to temporarily disable endpoint detection and response (EDR) systems and antivirus software without using vulnerable drivers has caught significant attention. The tool exploits a race condition within Windows Error Reporting functionality to disrupt security processes.
Innovative Exploit Strategy
EDR-Freeze leverages the MiniDumpWriteDump from the Windows DbgHelp library, which is used to create memory snapshots. This function suspends threads in the target process for consistent capture. This innovative method has been demonstrated by suspending critical processes, such as MsMpEng.exe (Windows Defender) on Windows 11 24H2. By triggering a dump against the security software and suspending the process itself, EDR-Freeze effectively freezes the target security solution.
The tool specifically targets WerFaultSecure.exe, a reporting component operating at the WinTCB level with Protected Process Light (PPL), and employs CreateProcessAsPPL to circumvent PPL protections. This method is particularly noteworthy as it utilizes legitimate Windows components rather than deploying vulnerable drivers, thus making detection more challenging than traditional Bring Your Own Vulnerable Driver (BYOVD) techniques.
- Target Process ID: EDR-Freeze can accept the target process ID and define a suspension duration, facilitating temporary deactivation of monitoring capabilities.
- Stealth Applications: This ability to run quietly and avoid detection is among the primary concerns regarding its potential misuse.
Security Concerns and Recommendations
The publication of EDR-Freeze's source code on GitHub aims to support research and assist red team operations. However, this openness also raises substantial concerns about the tool's potential for malicious exploitation. Security teams have been advised to monitor WerFaultSecure.exe command-line parameters closely, especially for any suspicious activities targeting LSASS, antivirus engines, or EDR agents.
Experts suggest implementing additional process protection mechanisms that go beyond standard PPL safeguards. As individuals and companies invest in strengthening digital defenses, understanding the capabilities and potential misuse of tools like EDR-Freeze remains vital in maintaining robust security postures.
