EDR-Freeze – Forensic Analysis of an EDR Coma Attack

Source: itamarhall.github.io

Author: unknown

URL: https://itamarhall.github.io/Tracepoint/blog/writeups/edr-freeze-investigation/

ONE SENTENCE SUMMARY:

EDR-Freeze demonstrates how attackers can temporarily suspend EDR processes using Windows components, impacting defender visibility and requiring advanced forensic detection.

MAIN POINTS:

1. EDR-Freeze uses Windows Error Reporting to suspend EDR processes temporarily.
2. Involves WerFaultSecure.exe and DbgHelp’s MiniDumpWriteDump components.
3. Process appears suspended in memory, affecting telemetry.
4. Volatility tools help identify forensic artifacts left by EDR-Freeze.
5. Memory forensics reveals suspended threads and handles used.
6. File activity observed with temporary t.txt creation.
7. Imports like MiniDumpWriteDump show potential for process suspension.
8. YARA rules help detect EDR-Freeze’s presence in binaries and memory.
9. Source code explains observed memory and file artifacts.
10. Showcases the risk of trusted OS components being used maliciously.

TAKEAWAYS:

1. Detection goes beyond logs to include memory analysis and forensic investigation.
2. YARA rules can catch both binary and behavioral indicators of EDR-Freeze.
3. EDR processes are vulnerable to suspension without kernel exploits.
4. Highlights the potential abuse of trusted Windows components by attackers.
5. Encourages focus on memory forensics as a crucial part of incident response.