Suspicious Process Suspension via WERFaultSecure through EDR-Freeze
Detects attempts to freeze a process likely an EDR or an antimalware service process through EDR-Freeze that abuses the WerFaultSecure.exe process to suspend security software.
Sigma rule (View on GitHub)
1title: Suspicious Process Suspension via WERFaultSecure through EDR-Freeze
2id: 1f0b4cac-9c81-41f4-95d0-8475ff46b3e2
3status: experimental
4description: |
5 Detects attempts to freeze a process likely an EDR or an antimalware service process through EDR-Freeze that abuses the WerFaultSecure.exe process to suspend security software.
6references:
7 - https://www.zerosalarium.com/2025/09/EDR-Freeze-Puts-EDRs-Antivirus-Into-Coma.html
8 - https://github.com/TwoSevenOneT/EDR-Freeze/blob/a7f61030b36fbde89871f393488f7075d2aa89f6/EDR-Freeze.cpp#L53
9author: Jason (https://github.com/0xbcf)
10date: 2025-09-23
11modified: 2025-10-10
12tags:
13 - attack.defense-evasion
14 - attack.t1562.001
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection_image:
20 - Image|endswith: '\WerFaultSecure.exe'
21 - OriginalFileName: 'WerFaultSecure.exe'
22 selection_args:
23 CommandLine|contains|all:
24 - ' /h '
25 - ' /pid ' # Antimalware or EDR process pid will be after this flag
26 - ' /tid '
27 - ' /encfile '
28 - ' /cancel '
29 - ' /type '
30 - ' 268310'
31 condition: all of selection_*
32falsepositives:
33 - Legitimate usage of WerFaultSecure for debugging purposes
34level: high
References
-
EDR-Freeze exploits the vulnerability of WerFaultSecure to suspend the processes of EDRs and Antimalware, halting the operation of Antivirus and EDR
Read More -
EDR-Freeze is a tool that puts a process of EDR, AntiMalware into a coma state. - TwoSevenOneT/EDR-Freeze
Read More
Related rules
- Potential Privileged System Service Operation - SeLoadDriverPrivilege
- Removal Of AMSI Provider Registry Keys
- Suspicious Uninstall of Windows Defender Feature via PowerShell
- Suspicious Windows Service Tampering
- Sysmon Configuration Update