WerFaultSecure Loading DbgCore or DbgHelp - EDR-Freeze
Detects WerFaultSecure.exe loading dbgcore.dll or dbghelp.dll which contains the MiniDumpWriteDump function. The MiniDumpWriteDump function creates a minidump of a process by suspending all threads in the target process to ensure a consistent memory snapshot. The EDR-Freeze technique abuses WerFaultSecure.exe running as a Protected Process Light (PPL) with WinTCB protection level to suspend EDR/AV processes. By leveraging MiniDumpWriteDump's thread suspension behavior, edr-freeze allows malicious activity to execute undetected during the suspension period.
Sigma rule (View on GitHub)
1title: WerFaultSecure Loading DbgCore or DbgHelp - EDR-Freeze
2id: 8a2f4b1c-3d5e-4f7a-9b2c-1e4f6d8a9c2b
3related:
4 - id: 387df17d-3b04-448f-8669-9e7fd5e5fd8c
5 type: similar
6 - id: 1f0b4cac-9c81-41f4-95d0-8475ff46b3e2
7 type: similar
8status: experimental
9description: |
10 Detects WerFaultSecure.exe loading dbgcore.dll or dbghelp.dll which contains the MiniDumpWriteDump function.
11 The MiniDumpWriteDump function creates a minidump of a process by suspending all threads in the target process to ensure a consistent memory snapshot.
12 The EDR-Freeze technique abuses WerFaultSecure.exe running as a Protected Process Light (PPL) with WinTCB protection level to suspend EDR/AV processes.
13 By leveraging MiniDumpWriteDump's thread suspension behavior, edr-freeze allows malicious activity to execute undetected during the suspension period.
14references:
15 - https://github.com/TwoSevenOneT/EDR-Freeze
16 - https://blog.axelarator.net/hunting-for-edr-freeze/
17author: Swachchhanda Shrawan Poudel (Nextron Systems)
18date: 2025-11-27
19tags:
20 - attack.defense-evasion
21 - attack.t1562.001
22logsource:
23 category: image_load
24 product: windows
25detection:
26 selection:
27 Image|endswith: '\WerFaultSecure.exe'
28 ImageLoaded|endswith:
29 - '\dbgcore.dll'
30 - '\dbghelp.dll'
31 condition: selection
32falsepositives:
33 - Unknown
34level: medium
35regression_tests_path: regression_data/rules/windows/image_load/image_load_win_werfaultsecure_dbgcore_dbghelp_load/info.yml
References
-
EDR-Freeze is a tool that puts a process of EDR, AntiMalware into a coma state. - TwoSevenOneT/EDR-Freeze
Read More -
EDR bypassing has become a technique of choice for threat actors and has enabled a market of tools being sold on cybercrime forums: * Unit42 uncovered a variant of EDRSandBlast being sold on XSS and Exploit. * CheckPoint Research uncovered the use of a vulnerable driver, Truesight.sys, which evaded the Microsoft
Read More
Related rules
- Hacktool - EDR-Freeze Execution
- PPL Tampering Via WerFaultSecure
- Suspicious Loading of Dbgcore/Dbghelp DLLs from Uncommon Location
- Suspicious Process Access of MsMpEng by WerFaultSecure - EDR-Freeze
- Suspicious Process Access to LSASS with Dbgcore/Dbghelp DLLs