Hacktool - EDR-Freeze Execution
Detects execution of EDR-Freeze, a tool that exploits the MiniDumpWriteDump function and WerFaultSecure.exe to suspend EDR and Antivirus processes on Windows. EDR-Freeze leverages a race-condition attack to put security processes into a dormant state by suspending WerFaultSecure at the moment it freezes the target process. This technique does not require kernel-level exploits or BYOVD, but instead abuses user-mode functionality to temporarily disable monitoring by EDR or Antimalware solutions.
Sigma rule (View on GitHub)
1title: Hacktool - EDR-Freeze Execution
2id: c598cc0c-9e70-4852-b9eb-8921af79f598
3status: experimental
4description: |
5 Detects execution of EDR-Freeze, a tool that exploits the MiniDumpWriteDump function and WerFaultSecure.exe to suspend EDR and Antivirus processes on Windows.
6 EDR-Freeze leverages a race-condition attack to put security processes into a dormant state by suspending WerFaultSecure at the moment it freezes the target process.
7 This technique does not require kernel-level exploits or BYOVD, but instead abuses user-mode functionality to temporarily disable monitoring by EDR or Antimalware solutions.
8date: 2025-09-24
9references:
10 - https://www.zerosalarium.com/2025/09/EDR-Freeze-Puts-EDRs-Antivirus-Into-Coma.html
11 - https://github.com/TwoSevenOneT/EDR-Freeze
12author: Swachchhanda Shrawan Poudel (Nextron Systems)
13tags:
14 - attack.defense-evasion
15 - attack.t1562.001
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection_img:
21 Image|contains: '\EDR-Freeze'
22 Image|endswith: '.exe'
23 selection_imphash:
24 Hashes|contains:
25 - 'IMPHASH=1195F7935954A2CD09157390C33F8E8C'
26 - 'IMPHASH=129F58DE3D687FB7F012BF6C3D679997'
27 - 'IMPHASH=2C617A175D0086251642C6619F7CC8BA'
28 - 'IMPHASH=8828F0B906F7844358FB92A899E9520F'
29 - 'IMPHASH=AF76D95157EC554DC1EF178E4E66D447'
30 - 'IMPHASH=E1B04316B61ACA31DD52ABBEC0A37FD5'
31 condition: 1 of selection_*
32falsepositives:
33 - Unlikely
34level: high
References
-
EDR-Freeze exploits the vulnerability of WerFaultSecure to suspend the processes of EDRs and Antimalware, halting the operation of Antivirus and EDR
Read More -
EDR-Freeze is a tool that puts a process of EDR, AntiMalware into a coma state. - TwoSevenOneT/EDR-Freeze
Read More
Related rules
- Suspicious Process Suspension via WERFaultSecure through EDR-Freeze
- Potential Privileged System Service Operation - SeLoadDriverPrivilege
- Removal Of AMSI Provider Registry Keys
- Suspicious Uninstall of Windows Defender Feature via PowerShell
- Suspicious Windows Service Tampering