New EDR-Freeze Tool That Puts EDRs and Antivirus Into A Coma State

Source: Cyber Security News

Author: Guru Baran

URL: https://cybersecuritynews.com/edr-freeze-tool/

ONE SENTENCE SUMMARY:

EDR-Freeze is a tool that suspends EDR and antivirus processes using Windows functions, enabling stealthy system compromise.

MAIN POINTS:

1. EDR-Freeze places EDR and antivirus in a suspended state using Windows functions.
2. Avoids using vulnerable drivers, reducing detection risk.
3. Utilizes MiniDumpWriteDump to suspend process threads indefinitely.
4. Bypasses Protected Process Light via WerFaultSecure.exe’s high privilege.
5. Initiates a race-condition attack to prolong process suspension.
6. Requires only Process ID and suspension duration as parameters.
7. Allows attacker actions without permanent disabling of security software.
8. Tested successfully on Windows Defender’s MsMpEng.exe process.
9. Demonstration released to showcase the technique.
10. Detection requires monitoring unusual WerFaultSecure.exe activity on sensitive PIDs.

TAKEAWAYS:

1. EDR-Freeze exploits legitimate Windows components for stealthy attacks.
2. Reduces dependency on vulnerable drivers for disabling security.
3. Security tools must monitor specific executions for potential threats.
4. Demonstrates sophisticated manipulation of Windows functions.
5. Highlights the need for vigilance against advanced attack techniques.