Suspicious Process Suspension via WERFaultSecure through EDR-Freeze

 1title: Suspicious Process Suspension via WERFaultSecure through EDR-Freeze
 2id: 1f0b4cac-9c81-41f4-95d0-8475ff46b3e2
 3status: experimental
 4description: |
 5        Detects attempts to freeze a process likely an EDR or an antimalware service process through EDR-Freeze that abuses the WerFaultSecure.exe process to suspend security software.
 6references:
 7    - https://www.zerosalarium.com/2025/09/EDR-Freeze-Puts-EDRs-Antivirus-Into-Coma.html
 8    - https://github.com/TwoSevenOneT/EDR-Freeze/blob/a7f61030b36fbde89871f393488f7075d2aa89f6/EDR-Freeze.cpp#L53
 9author: Jason (https://github.com/0xbcf)
10date: 2025-09-23
11tags:
12    - attack.defense-evasion
13    - attack.t1562.001
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection:
19        Image: 'C:\Windows\System32\WerFaultSecure.exe'
20        CommandLine|contains|all:
21            - ' /h '
22            - ' /pid ' # Antimalware or EDR process pid will be after this line
23            - ' /tid '
24            - ' /encfile '
25            - ' /cancel '
26            - ' /type '
27            - ' 268310'
28    condition: selection
29falsepositives:
30    - Legitimate usage of WerFaultSecure for debugging purposes
31level: high

References

• EDR-Freeze: A Tool That Puts EDRs And Antivirus Into A Coma State

  

  EDR-Freeze exploits the vulnerability of WerFaultSecure to suspend the processes of EDRs and Antimalware, halting the operation of Antivirus and EDR

  
  Read More

• https://github.com/TwoSevenOneT/EDR-Freeze/blob/a7f61030b36fbde89871f393488f7075d2aa89f6/EDR-Freeze.cpp#L53

  
  Read More

Related rules

• Suspicious Windows Service Tampering
• Sysmon Configuration Update
• Uninstall Sysinternals Sysmon
• Suspicious Windows Defender Registry Key Tampering Via Reg.EXE
• Disabling Windows Defender WMI Autologger Session via Reg.exe