This article introduces EDR-Freeze, a novel user-mode technique that evades security solutions without needing vulnerable drivers. It highlights the methodβs reliance on Windows Error Reporting and suggests possible defenses against this stealthy attack. #EDRFreeze #MicrosoftWindows
Keypoints
- EDR-Freeze exploits Windows Error Reporting to suspend security processes without kernel drivers.
- The technique uses WerFaultSecure and MiniDumpWriteDump APIs to temporarily halt antivirus activities.
- This method operates entirely from user mode, making it more stealthy than traditional driver-based attacks.
- The attack chain involves suspending WerFaultSecure, which triggers a race condition to freeze security processes.
- Defense strategies include monitoring WER processes and restricting their invocation for sensitive processes.