Endpoint detection and response (EDR) systems are critical in protecting against ransomware and other cybersecurity threats. However, a new technique called EDR-Freeze presents a sophisticated method to evade such defenses. This technique leverages Windows Error Reporting and the MiniDumpWriteDump function to temporarily suspend antivirus processes, thereby bypassing their protective measures.
Ingenious Use of Windows Error Reporting
The novelty of EDR-Freeze lies in its ability to operate without installing vulnerable drivers, a common requirement in previous evasion tactics. By utilizing the MiniDumpWriteDump function, it manages to create a minidump of target processes by suspending their threads during the operation. This is particularly significant as it circumvents the typical vulnerabilities exploited with kernel drivers.
The technique, however, faces two primary challenges: extending the brief execution time typical of MiniDumpWriteDump and handling antivirus processes fortified by Protected Process Light (PPL). The researcher overcame these challenges by reverse-engineering WerFaultSecure. This allowed them to trigger MiniDumpWriteDump effectively for any target process.
Overcoming PPL Challenges with CreateProcessAsPPL
The research demonstrated that when combined with CreateProcessAsPPL, WerFaultSecure is capable of launching and suspending PPL-protected child processes—a vital step in this evasion process. The technique exploits a race condition, orchestrating a sequence of actions that start with running WerFaultSecure as a PPL process and setting parameters to dump the target.
Once the target is suspended, WerFaultSecure itself is suspended using PROCESS_SUSPEND_RESUME and NtSuspendProcess functions. If both are suspended simultaneously, the antivirus or EDR process remains indefinitely frozen. This clever pause extends the time the target defense system is inactive, allowing for potentially malicious activities to proceed unchecked without the need to use kernel drivers.
Impact on Cybersecurity Practices
This new method addresses several shortcomings of the BYOVD (Bring Your Own Vulnerable Driver) approach by eliminating driver installation. It provides a flexible approach to controlling when security processes operate or are suspended, offering an unprecedented level of stealth and control for threat actors.
Details of this method, including a proof-of-concept, have been shared publicly on GitHub, increasing awareness and understanding of how these evasive maneuvers can be performed. A mitigating response has been shared in the form of a KQL detection query, but it underscores the continual arms race between those developing cybersecurity defenses and those seeking to overcome them.
