Novel attack technique freezes endpoint security via Windows function

Endpoint security tools protect users against compromises. However, EDR-Freeze disables them via error messages within Windows without exploiting any vulnerabilities.

The approach revolves around WerFaultSecure, a Windows Error Reporting component with Protected Process Light (PPL) privileges. This service collects crash dumps from sensitive system processes so that they can be debugged. EDR-Freeze exploits the MiniDumpWriteDump API from the DbgHelp library. A security researcher with the screen name TwoSevenOneThree Zero Salarium discovered the danger and explains the potential exploits. The end result can lead to EDR tooling going “into a coma.”

When taking a memory snapshot of a process, all threads of the target process are temporarily suspended. Normally, these threads resume as soon as the dump is complete. EDR-Freeze uses a race condition: while WerFaultSecure is busy suspending the EDR process, WerFaultSecure itself is suspended before it can resume the threads.

Smarter approach than BYOVD

Traditional methods of bypassing EDR tools rely on Bring Your Own Vulnerable Driver (BYOVD) techniques. Attackers use legitimate but vulnerable kernel drivers for privilege escalation. However, this approach carries risks: smuggling drivers into target systems, bypassing execution security, and cleaning up kernel traces. All of this makes the chance of exploitation considerably smaller than is currently the case.

EDR-Freeze works differently. TwoSevenOneThree Zero Salarium developed a method that operates entirely from user mode. The technique uses Windows components that are standard in the operating system, eliminating the need for external drivers. Windows cannot detect this as malicious behavior because the processes in question could normally run one after the other.

Defense possible but limited

According to the researcher, defense can be achieved by monitoring whether WER refers to identifiers of sensitive processes such as LSASS or security tools. Security researcher Steven Lim has already developed a tool that links WerFaultSecure to Microsoft Defender Endpoint processes.

Microsoft could harden the Windows components against abuse by blocking suspicious calls, allowing only certain PIDs, or limiting possible parameters. However, as BleepingComputer pointed out, this is more of a design flaw than a real vulnerability within Windows. Furthermore, the actual likelihood of exploitation is unclear, so it is good news that a security researcher appears to have been the first to discover it. The EDR-Freeze tool was successfully tested on Windows 11 24H2, disabling the Windows Defender process.

Top story

Check-in chaos continues: airports still waiting for secure software

Has passenger data been stolen?

Laura Herijgers 19 hours ago

Expert Talks

Tech calendar

Novel attack technique freezes endpoint security via Windows function

Smarter approach than BYOVD

Defense possible but limited

Stay tuned, subscribe!

Intel’s $5B deal with Nvidia: better safe than sorry

What happens after the end of Windows 10 support?

MongoDB brings search and vector search to local environments

What does HPE Financial Services do?

What is HPE VM Essentials and is it a direct competitor to VMware?

Better servers and storage have direct impact on wine sales and marketing

Rise with SAP vs Grow with SAP: the different SAP ERP journeys

The AI productivity mirage: why leaders are aiming at the wrong target

Meeting future workload demands: the case for emerging memory technologies

How AI and automation are redefining ROI in the enterprise

Enhancing video encoding: The AV1 support in the new ARTPEC-9 System-on-Chip

IT Arena

National 6G Conference

Innovation Week 2025

Luxembourg Venture Days

Appdevcon

Webdevcon

Experience Synology’s latest enterprise backup solution

How to choose the right Enterprise Linux platform?

Enhance your data protection strategy for 2025

Strengthen your cybersecurity with DNS best practices