PPL Tampering Via WerFaultSecure
Detects potential abuse of WerFaultSecure.exe to dump Protected Process Light (PPL) processes like LSASS or to freeze security solutions (EDR/antivirus). This technique is used by tools such as EDR-Freeze and WSASS to bypass PPL protections and access sensitive information or disable security software. Distinct command line patterns help identify the specific tool:
- WSASS usage typically shows: "WSASS.exe WerFaultSecure.exe [PID]" in ParentCommandLine
- EDR-Freeze usage typically shows: "EDR-Freeze_[version].exe [PID] [timeout]" in ParentCommandLine Legitimate debugging operations using WerFaultSecure are rare in production environments and should be investigated.
Sigma rule (View on GitHub)
1title: PPL Tampering Via WerFaultSecure
2id: 1f0b4cac-9c81-41f4-95d0-8475ff46b3e2
3status: experimental
4description: |
5 Detects potential abuse of WerFaultSecure.exe to dump Protected Process Light (PPL) processes like LSASS or to freeze security solutions (EDR/antivirus).
6 This technique is used by tools such as EDR-Freeze and WSASS to bypass PPL protections and access sensitive information or disable security software.
7 Distinct command line patterns help identify the specific tool:
8 - WSASS usage typically shows: "WSASS.exe WerFaultSecure.exe [PID]" in ParentCommandLine
9 - EDR-Freeze usage typically shows: "EDR-Freeze_[version].exe [PID] [timeout]" in ParentCommandLine
10 Legitimate debugging operations using WerFaultSecure are rare in production environments and should be investigated.
11references:
12 - https://www.zerosalarium.com/2025/09/EDR-Freeze-Puts-EDRs-Antivirus-Into-Coma.html
13 - https://github.com/TwoSevenOneT/EDR-Freeze/blob/a7f61030b36fbde89871f393488f7075d2aa89f6/EDR-Freeze.cpp#L53
14 - https://www.zerosalarium.com/2025/09/Dumping-LSASS-With-WER-On-Modern-Windows-11.html
15 - https://github.com/TwoSevenOneT/WSASS/blob/2c8fd9fa32143e7bc9f066e9511c6f8a57bc64b5/WSASS.cpp#L251
16author: Jason (https://github.com/0xbcf)
17date: 2025-09-23
18modified: 2025-11-23
19tags:
20 - attack.defense-evasion
21 - attack.t1562.001
22 - attack.credential-access
23 - attack.t1003.001
24logsource:
25 category: process_creation
26 product: windows
27detection:
28 selection_image:
29 - Image|endswith: '\WerFaultSecure.exe'
30 - OriginalFileName: 'WerFaultSecure.exe'
31 selection_args:
32 CommandLine|contains|all:
33 - ' /h '
34 - ' /pid ' # Antimalware or EDR process pid will be after this flag
35 - ' /tid '
36 - ' /encfile '
37 - ' /cancel '
38 - ' /type '
39 - ' 268310'
40 condition: all of selection_*
41falsepositives:
42 - Legitimate usage of WerFaultSecure for debugging purposes
43level: high
References
-
EDR-Freeze exploits the vulnerability of WerFaultSecure to suspend the processes of EDRs and Antimalware, halting the operation of Antivirus and EDR
Read More -
EDR-Freeze is a tool that puts a process of EDR, AntiMalware into a coma state. - TwoSevenOneT/EDR-Freeze
Read More -
Use the offensive tool WSASS to dump the LSASS memory area by exploiting the vulnerability in WerFaultSecure.exe
Read More -
Related rules
- Potential LSASS Process Dump Via Procdump
- CreateDump Process Dump
- DumpMinitool Execution
- HackTool - HandleKatz Duplicating LSASS Handle
- HackTool - XORDump Execution