Suspicious Process Access of MsMpEng by WerFaultSecure - EDR-Freeze

calendar Dec 10, 2025 · attack.defense-evasion attack.t1562.001  ·
Share on: linkedin copy

Detects process access events where WerFaultSecure accesses MsMpEng.exe with dbgcore.dll or dbghelp.dll in the call trace, indicating potential EDR freeze techniques. This technique leverages WerFaultSecure.exe running as a Protected Process Light (PPL) with WinTCB protection level to call MiniDumpWriteDump and suspend EDR/AV processes, allowing malicious activity to execute undetected during the suspension period.

Sigma rule (View on GitHub)

 1title: Suspicious Process Access of MsMpEng by WerFaultSecure - EDR-Freeze
 2id: 387df17d-3b04-448f-8669-9e7fd5e5fd8c
 3related:
 4    - id: 8a2f4b1c-3d5e-4f7a-9b2c-1e4f6d8a9c2b
 5      type: similar
 6    - id: 1f0b4cac-9c81-41f4-95d0-8475ff46b3e2
 7      type: similar
 8status: experimental
 9description: |
10    Detects process access events where WerFaultSecure accesses MsMpEng.exe with dbgcore.dll or dbghelp.dll in the call trace, indicating potential EDR freeze techniques.
11    This technique leverages WerFaultSecure.exe running as a Protected Process Light (PPL) with WinTCB protection level to call MiniDumpWriteDump and suspend EDR/AV processes, allowing malicious activity to execute undetected during the suspension period.    
12references:
13    - https://blog.axelarator.net/hunting-for-edr-freeze/
14author: Swachchhanda Shrawan Poudel (Nextron Systems)
15date: 2025-11-27
16tags:
17    - attack.defense-evasion
18    - attack.t1562.001
19logsource:
20    category: process_access
21    product: windows
22    definition: |
23        Requires Sysmon Event ID 10 (ProcessAccess) with CallTrace enabled.
24        Example sysmon config snippet with grouping, as logging individual ProcessAccess events can generate excessive logs:
25        <ProcessAccess onmatch="include">
26            <Rule groupRelation="and">
27            <TargetImage condition="end with">\MsMpEng.exe</TargetImage>
28            <SourceImage condition="end with">\WerFaultSecure.exe</SourceImage>
29            </Rule>
30        </ProcessAccess>        
31detection:
32    selection:
33        SourceImage|endswith: '\WerFaultSecure.exe'
34        TargetImage|endswith: '\MsMpEng.exe'
35        CallTrace|contains:
36            - '\dbgcore.dll'
37            - '\dbghelp.dll'
38    condition: selection
39falsepositives:
40    - Legitimate Windows Error Reporting operations
41level: high
42regression_tests_path: regression_data/rules/windows/process_access/proc_access_win_werfaultsecure_msmpeng_access/info.yml

References

  • Hunting for EDR-Freeze

    EDR bypassing has become a technique of choice for threat actors and has enabled a market of tools being sold on cybercrime forums: * Unit42 uncovered a variant of EDRSandBlast being sold on XSS and Exploit. * CheckPoint Research uncovered the use of a vulnerable driver, Truesight.sys, which evaded the Microsoft


    Read More

Related rules

to-top