A recent proof-of-concept named EDR-Freeze has emerged, showcasing a technique that permits attackers to bypass endpoint detection and response (EDR) systems, as well as antivirus solutions, by exploiting the Microsoft Windows Error Reporting (WER) system. Developed by researchers aiming to expose potential vulnerabilities, EDR-Freeze operates in user mode and eliminates the need for flawed kernel drivers. This novel approach places security agents into a state of hibernation, effectively making them inactive.
Exploring the Mechanics of EDR-Freeze
EDR-Freeze leverages
The method of attack operates through a carefully coordinated race condition, executed via four distinct steps. The sequence begins with spawning WerFaultSecure as a PPL. Next, it is instructed to activate the MiniDumpWriteDump on the target Process ID (PID). Following this, the attacker waits for the target process to be suspended before executing the final step, which involves suspending the
Implications and Potential Countermeasures
During testing on Windows 11 24H2, this method was shown to successfully freeze critical processes such as the Windows Defender, culminating in a significant security concern due to its effectiveness. The underlying issue stems from the design interaction between MiniDumpWriteDump and WerFaultSecure, recognized more as a design flaw rather than a direct vulnerability.
To counteract these weaknesses, several defenses have been proposed. These include vigilant monitoring of WER invocations, particularly those related to sensitive PIDs like LSASS or other security tools. Additionally, mapping activity related to
While the implications are still unfolding, the EDR-Freeze technique has prompted significant conversations about the robustness of endpoint protection measures. As researchers like Zero Salarium contribute to unveiling these issues, it remains crucial for security teams and technology providers to address these inherent vulnerabilities proactively.
