Hacktool - EDR-Freeze Execution

 1title: Hacktool - EDR-Freeze Execution
 2id: c598cc0c-9e70-4852-b9eb-8921af79f598
 3status: experimental
 4description: |
 5    Detects execution of EDR-Freeze, a tool that exploits the MiniDumpWriteDump function and WerFaultSecure.exe to suspend EDR and Antivirus processes on Windows.
 6    EDR-Freeze leverages a race-condition attack to put security processes into a dormant state by suspending WerFaultSecure at the moment it freezes the target process.
 7    This technique does not require kernel-level exploits or BYOVD, but instead abuses user-mode functionality to temporarily disable monitoring by EDR or Antimalware solutions.    
 8references:
 9    - https://www.zerosalarium.com/2025/09/EDR-Freeze-Puts-EDRs-Antivirus-Into-Coma.html
10    - https://github.com/TwoSevenOneT/EDR-Freeze
11author: Swachchhanda Shrawan Poudel (Nextron Systems)
12date: 2025-09-24
13modified: 2025-11-27
14tags:
15    - attack.defense-evasion
16    - attack.t1562.001
17logsource:
18    category: process_creation
19    product: windows
20detection:
21    selection_img:
22        Image|contains:
23            - '\EDR-Freeze'
24            - '\EDRFreeze'
25        Image|endswith: '.exe'
26    selection_imphash:
27        Hashes|contains:
28            - 'IMPHASH=1195F7935954A2CD09157390C33F8E8C'
29            - 'IMPHASH=129F58DE3D687FB7F012BF6C3D679997'
30            - 'IMPHASH=2C617A175D0086251642C6619F7CC8BA'
31            - 'IMPHASH=8828F0B906F7844358FB92A899E9520F'
32            - 'IMPHASH=AF76D95157EC554DC1EF178E4E66D447'
33            - 'IMPHASH=E1B04316B61ACA31DD52ABBEC0A37FD5'
34            - 'IMPHASH=8B2D5B54AFCFEC60D54F6B31D80ED4A0'
35            - 'IMPHASH=AB8BB31EDD91D2A05FE7B62A535E9EB7'
36    condition: 1 of selection_*
37falsepositives:
38    - Unlikely
39level: high
40regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_hktl_edr_freeze/info.yml