PPL Tampering Via WerFaultSecure
Detects potential abuse of WerFaultSecure.exe to dump Protected Process Light (PPL) processes like LSASS or to freeze security solutions (EDR/antivirus). This technique is used by tools such as EDR-Freeze and WSASS to bypass PPL protections and access sensitive information or disable security software. Distinct command line patterns help identify the specific tool:
- WSASS usage typically shows: "WSASS.exe WerFaultSecure.exe [PID]" in ParentCommandLine
- EDR-Freeze usage typically shows: "EDR-Freeze_[version].exe [PID] [timeout]" in ParentCommandLine Legitimate debugging operations using WerFaultSecure are rare in production environments and should be investigated.
Sigma rule (View on GitHub)
1title: PPL Tampering Via WerFaultSecure
2id: 1f0b4cac-9c81-41f4-95d0-8475ff46b3e2
3related:
4 - id: 387df17d-3b04-448f-8669-9e7fd5e5fd8c
5 type: similar
6 - id: 8a2f4b1c-3d5e-4f7a-9b2c-1e4f6d8a9c2b
7 type: similar
8status: experimental
9description: |
10 Detects potential abuse of WerFaultSecure.exe to dump Protected Process Light (PPL) processes like LSASS or to freeze security solutions (EDR/antivirus).
11 This technique is used by tools such as EDR-Freeze and WSASS to bypass PPL protections and access sensitive information or disable security software.
12 Distinct command line patterns help identify the specific tool:
13 - WSASS usage typically shows: "WSASS.exe WerFaultSecure.exe [PID]" in ParentCommandLine
14 - EDR-Freeze usage typically shows: "EDR-Freeze_[version].exe [PID] [timeout]" in ParentCommandLine
15 Legitimate debugging operations using WerFaultSecure are rare in production environments and should be investigated.
16references:
17 - https://www.zerosalarium.com/2025/09/EDR-Freeze-Puts-EDRs-Antivirus-Into-Coma.html
18 - https://github.com/TwoSevenOneT/EDR-Freeze/blob/a7f61030b36fbde89871f393488f7075d2aa89f6/EDR-Freeze.cpp#L53
19 - https://www.zerosalarium.com/2025/09/Dumping-LSASS-With-WER-On-Modern-Windows-11.html
20 - https://github.com/TwoSevenOneT/WSASS/blob/2c8fd9fa32143e7bc9f066e9511c6f8a57bc64b5/WSASS.cpp#L251
21author: Jason (https://github.com/0xbcf)
22date: 2025-09-23
23modified: 2025-11-23
24tags:
25 - attack.defense-evasion
26 - attack.t1562.001
27 - attack.credential-access
28 - attack.t1003.001
29logsource:
30 category: process_creation
31 product: windows
32detection:
33 selection_image:
34 - Image|endswith: '\WerFaultSecure.exe'
35 - OriginalFileName: 'WerFaultSecure.exe'
36 selection_args:
37 CommandLine|contains|all:
38 - ' /h '
39 - ' /pid ' # Antimalware or EDR process pid will be after this flag
40 - ' /tid '
41 - ' /encfile '
42 - ' /cancel '
43 - ' /type '
44 - ' 268310'
45 condition: all of selection_*
46falsepositives:
47 - Legitimate usage of WerFaultSecure for debugging purposes
48level: high
49regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_werfaultsecure_abuse/info.yml
References
-
EDR-Freeze exploits the vulnerability of WerFaultSecure to suspend the processes of EDRs and Antimalware, halting the operation of Antivirus and EDR
Read More -
EDR-Freeze is a tool that puts a process of EDR, AntiMalware into a coma state. - TwoSevenOneT/EDR-Freeze
Read More -
Use the offensive tool WSASS to dump the LSASS memory area by exploiting the vulnerability in WerFaultSecure.exe
Read More -
Related rules
- Suspicious Process Access to LSASS with Dbgcore/Dbghelp DLLs
- Suspicious Loading of Dbgcore/Dbghelp DLLs from Uncommon Location
- Process Access via TrolleyExpress Exclusion
- Potential LSASS Process Dump Via Procdump
- CreateDump Process Dump