A breakthrough in security research has emerged with the introduction of EDR-Freeze, a method devised to temporarily disable antivirus processes and Endpoint Detection and Response (EDR) agents on Windows systems. Crafted by a Zero Salarium specialist, this method employs built-in system utilities, eschewing the need for vulnerable third-party drivers, which often pose security risks.
Exploiting System Tools and Race Conditions
The EDR-Freeze method cleverly leverages native operating system behavior alongside race conditions. One core component of the exploit is MiniDumpWriteDump, a function that suspends all threads of a target process while generating a snapshot. Typically, the initiator of the dump is responsible for resuming the process once the dump is complete. However, EDR-Freeze subverts this workflow, leaving the process suspended.
A critical aspect of this technique is manipulating WerFaultSecure to execute with Protected Process Light (PPL) privileges at the WinTCB level, enabling it to initiate a dump of a specified Process ID (PID). During this operation, WerFaultSecure unexpectedly suspends itself at a crucial juncture. This self-suspension means the affected process cannot resume, as the initiator tasked with its revival is no longer operational.
Utility Details and Demonstration
The EDR-Freeze utility itself is relatively straightforward, requiring only a target PID and a defined pause time in milliseconds. By systematically executing the outlined steps, the utility effectively keeps the antivirus process immobilized. Its efficacy was demonstrated by suspending MsMpEng.exe, a core component of Windows Defender, on a Windows 11 24H2 system. Process Explorer was used to monitor the suspension status, showcasing the potential real-world implications of the technique.
Security Implications and Recommendations
This innovative approach represents a significant concern for endpoint security frameworks, as EDR-Freeze operates entirely within user mode, bypassing conventional security measures reliant on detecting third-party driver exploitation. The essence of the risk lies in the method's ability to manipulate trusted system components to achieve its goals.
To counteract these vulnerabilities, the research alludes to the necessity of vigilant monitoring of WerFaultSecure's boot parameters. Observing for any anomalies that could indicate unsanctioned references to PIDs of sensitive services, such as LSASS, antivirus processes, or EDR agents, is critical. Implementing comprehensive measures to verify the integrity of protected-process boot chains and detect unusual dump-creation patterns is essential for bolstering defenses against potential misuse.
