In a recent development, the emergence of a proof-of-concept tool, EDR-Freeze, has captured attention due to its potential to temporarily disable antivirus and endpoint detection and response (EDR) solutions. By utilizing a unique approach, the tool places these security measures into a 'coma' state, exploiting the Windows MiniDumpWriteDump function.
Typically, the MiniDumpWriteDump function is used to create memory dumps by suspending all threads in a target process. EDR-Freeze, however, extends this suspension indefinitely, a feat achieved using user-mode code alone, thus eliminating the requirement for installing additional third-party drivers.
Bypassing Security Protections
To effectively bypass Protected Process Light (PPL) protections, EDR-Freeze employs a sophisticated technique using WerFaultSecure.exe. This component is a part of Windows Error Reporting, operating at a level termed the Windows Trusted Computing Base (WinTCB). It is leveraged to invoke the MiniDumpWriteDump function on protected EDR and antivirus processes.
The ingenuity of EDR-Freeze lies in its deployment of a race-condition attack. By suspending the WerFaultSecure.exe process as it initiates the dump creation, the operation remains incomplete. Consequently, the security process in question remains suspended indefinitely, rendering it inactive until the dumper process is terminated.
The flexibility of EDR-Freeze is apparent in its ability to accept a target process identifier (PID) alongside a specified suspension duration in milliseconds. Demonstrations have illustrated its capability to suspend MsMpEng.exe, also known as Windows Defender, specifically impacting Windows 11 24H2 environments.
Implications for Cybersecurity
With the deployment of EDR-Freeze, cybersecurity professionals are urged to maintain heightened vigilance. One recommended strategy is monitoring unusual executions of WerFaultSecure.exe, especially those targeting sensitive PIDs, such as EDR agents or the lsass.exe process. By treating these actions as high-priority alerts, defenders can proactively counteract the potential vulnerabilities exploited by the EDR-Freeze tool.
Overall, while EDR-Freeze currently exists as a proof-of-concept, its release illustrates a substantial need for bolstering defenses and enhancing the scrutiny of software safeguards within operating systems. The innovative use of system processes to bypass established protections underscores the evolving landscape of cybersecurity threats, necessitating continuous adaptation and awareness within the tech community.
